Data protection policy

1. Introduction

This Policy sets out the obligations of the British Lingual Orthodontic Society (“we/us/our/BLOS”) regarding data protection and the rights of our Members, prospective members and any other employee or individual (“Data Subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

As we undertake research that collects or evaluates personal information about a living person who can be identified from the information they have provided we aim to ensure compliance with the GDPR.

This Policy outlines our obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by us, our employees, agents, contractors, or other parties working on our behalf and we agree to ensure that all of our directors, employees, consultants and agents comply with this Policy.

In this Policy when we say “you”, “your” or “Member” we are generally referring to the Data Subject unless the context requires otherwise.

This Policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.

We aim to ensure the correct, lawful, and fair handling of your personal data and to respect your legal rights.

2. Commencement of this Policy

This Policy shall be deemed effective as of 25th May 2018 however it will not have effect retrospectively and will apply only to matters occurring after this date.

3. Purpose

In the course of our business activities we collect, store and process personal data about our Members, potential members, suppliers and other third parties and therefore, in order to comply with the law and to maintain confidence in our business, we acknowledge the importance of correct and lawful treatment of this data.

This Policy therefore sets out how the British Lingual Orthodontic Society (‘BLOS’) and its Associates will seek to ensure compliance with the GDPR.

4. Application

This Policy applies to BLOS’s dealings with Members, clients and third parties that may be involved in processing personal information. It covers the way personal information will be obtained, used, shared, physically stored and destroyed.

All people working in or with our business are obliged to comply with this Policy when processing personal data.

5. How this Policy applies to you?

As an employee, contractor, consultant or agent on our behalf, you may be processing or accessing personal information on behalf of us, and as such will be required to comply with this Policy.

Anyone who breaches this Policy may be subject to disciplinary action, and where that individual has breached the Policy intentionally, recklessly, or for personal benefit they may also be liable to prosecution or to regulatory action.

As a line manager: there is a requirement to make sure that any procedures that involve personal data, follow the rules set out in this Data Protection Policy.

As an appointed third party data processor/contractor: as a data processor on our behalf, we confirm that we will enter in to further contractual terms with such third parties regarding the security of any personal data. Furthermore, data processors have direct obligations under the GDPR, primarily to only process data on instructions and to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved.

As a Data Subject, you will have specific rights under the GDPR and under this Data Protection Policy as to how we collect, process and manage your personal data for our business.

Our procedures will be in line with the requirements of this Policy, but if you are unsure about whether anything you plan to do, or are currently doing, might breach this Policy you must first speak to our Data Compliance Representative.

6. General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“GDPR”) governs the processing (i.e. obtaining, holding, organising, recording, retrieval, use, disclosure, transmission, combination and destruction) of personal and sensitive data (i.e. information relating to a living individual – the Data Subject) and sets out the rights of individuals whose information is processed in manual or electronic form or held in a structured filing system. There are six principles that describe the legal obligations of organisations that handle personal information about individuals. These Principles are:

1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the individual.

The information we gather about an individual will be collected in a way where they are fully informed how we intend to use that information, for what purposes and how we will share it.

2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

We will explain why we need the information we are collecting and not use it other than for those purposes.

3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

We will only collect the information we need to provide the services required.

4. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

The information we collect will be accurate and where necessary kept up to date. Inaccurate information will be removed or rectified as we become aware of the changes.

5. Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.

We will not hold information for longer than is necessary.

6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

We will make sure that the personal information we hold is held securely to ensure that it does not become inadvertently available to other organisations or individuals. We will also maintain security – i.e. there must appropriate technical or organisational measures to ensure appropriate security under GDPR.

In addition, personal data must not be transferred outside the European Economic Area (the “EEA”) without adequate protection.

BLOS fully supports these principles.

7. Notifying Data Subjects

As part of complying with the above principles, if you provide us with personal data we will always try to tell you:

• The purpose or purposes for which we intend to process that personal data;
• The types of third parties, if any, with which we will share or to which we will disclose that personal data;
• How you can limit our use and disclosure of their personal data; and
• If we receive personal data from other sources.

8. The meaning of key data terms

Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.

Data Subjects for the purpose of this Policy include all living individuals about whom we hold personal data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their personal information.

Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Act. We are the data controller of all personal data used in our business for our own commercial purposes.

Processing is any activity that involves use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties

9. Rights of individuals

The General Data Protection Regulation creates specific rights of individuals. These include:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

10. Handling personal information, lawfully, fairly and transparently

The GDPR Rules are not intended to prevent the processing of personal data but to ensure that it is done fairly and without adversely affecting your rights. The processing of personal data is lawful if one (or more) of the following applies:

• (Consent) the Data Subject has consented for a specific purpose.
• (Contract) if the Data Subject requests the processing with a view to entering into a contract or the processing is necessary for the performance of a contract.
• (Legal obligation) if the processing is necessary for the compliance with a legal obligation to which the data controller is subject.
• (Protection) processing is necessary to protect your vital interests or those of another natural person.
• (Public interest) it is in the public interest for a task to be carried out which requires such processing, or the task is to be carried out as a result of the exercise of any official authority held by the data controller.
• (Legitimate interests) for the legitimate interest of the data controller or the party to whom the personal data is disclosed.
We may collect sensitive personal data for our business needs, but in the event, it is necessary to do so, we shall ensure it is in compliance with the GDPR Rules.

We are required to acquire and process personal information lawfully, fairly and in a transparent way. We shall therefore ensure that it is clear at the outset about the purpose for which information is obtained and processed. We aim to ensure that:

• Members and potential members are aware of the purpose or purposes for which the information is to be used and they have a choice as to whether to provide the information;
• Respondents are able to ask for confirmation of the source of their personal information;
• Personal information is not used in ways that would have adverse effects on Data Subjects;
• Members are provided with easy to read and understand privacy notices when information is collected;
• Personal information will only be handled in ways that individuals would reasonably expect;
• The third-party providers we work with to provide services to potential Members must comply with the requirements of the GDPR as well;
• Marketing undertaken by us will be undertaken in a manner that complies with the GDPR;
• We seek to uphold the individual’s rights with regard to their personal information.

Appropriate records will be maintained to demonstrate compliance with the above-mentioned requirements.

We will only process personal data for the specific purposes set out above or for any other purposes specifically permitted by the GDPR Rules. We will notify those purposes to you when we first collect the personal data or as soon as possible thereafter.

11. Consent for Members

Consent will be required for certain types of information usage.

When consent is required, it must be freely given, specific, informed and unambiguous. Requests for consent will be separate from other terms, and be in clear and plain language. The individuals consent will be “explicit” where it relates to sensitive data. BLOS is required to be able to demonstrate that consent was given. We therefore maintain records of clients consent to meet the accountability requirements for both the profession and the requirements of the General Data Protection Regulation.

12. Consent for marketing and prospecting purposes

Under the Privacy and Electronic Communication Regulations (PECR) there are specific requirements relating to unsolicited direct marketing communications. A solicited communication is one that is actively invited, either directly by the customer or via a third party. An unsolicited communication is one that the customer has not invited but they have indicated that they do not, for the time being, object to receiving it. If challenged, businesses would need to demonstrate that an individual has positively opted in to receiving further information from us.

We understand that it is unlawful to contact individuals or organisations that have informed us that they do not wish to receive unsolicited marketing material. We shall therefore comply with the following:

Telesales – we ensure that individuals and organisations that we might wish to contact are not registered on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS) respectively. If they are registered or have directly notified us not to call, then unsolicited direct marketing calls will not be made by us.

Emails and text message – we will not contact individuals by email or via text message without obtaining prior consent unless the individual’s details have been obtained in the course of a sale or negotiations of a sale. Individuals will be given the opportunity to opt out of receiving further marketing emails or texts each time that such contact is made.

The Mailing Preference Service (MPS) is managed by the Direct Marketing Association and supported by Royal Mail to enable individuals to register their names and addresses to limit the amount of direct mail they receive. Unsolicited marketing material will not be sent by post to individuals that have informed us they do not wish to receive such information or they have registered with the MPS.

We maintain internal logs of individuals and organisations that have indicated that they do not wish to receive unsolicited marketing information and conduct checks against the TPS, CTPS, FPS, eMPS and MPS databases as appropriate.

When data is purchased from third parties for prospecting purposes, we ensure that the data has been acquired by the third party through fair and lawful means, the data can be used for the purposes of unsolicited marketing activities and that the data has been cross-checked by the third party against the appropriate preference service databases.

13. Computer equipment, security and updates

We are aware of the vulnerability of laptops, phones and removable media and BLOS takes steps to ensure the security of these devices.

We ensure that all equipment used as part of our business processes is appropriately protected and secured. The equipment we use has up to date Malware and anti-virus software. When updates are notified because of a software patch, these are applied as they become available.

The laptops that are used for business purposes are encrypted and password protected to ensure that any personal information contained within them is appropriately secured.

It is not our practice to use unsecured phones for business purposes. If a phone is used for personal information then two factor authentication is applied to the handset.

14. Removable media

Any removable media used such as an external hard drive or USB pen drive are encrypted.

15. PECR and cookies

Under the PECR, as from 26 May 2011, businesses must seek consent before any cookie is set on an individual’s computer.

Cookies are small, often encrypted text files, located in browser directories. They are used by companies to help users navigate websites efficiently and perform certain functions. Cookies are also used to keep computer users logged in and their personal details private or for tracking their activity so that companies can improve the website. Cookies can be used by third parties to track information about individuals and spam them with adverts. By themselves, cookies pose no risk since they do not contain viruses.

Session cookies enable the website to track user movement from page to page so that the user does not get asked for the same information again. The most common example of this functionality is the shopping cart feature of an e-commerce website. Session cookies are never written on the hard drive and they do not collect any information from the user’s computer. Session cookies expire at the end of the user’s browser session.

Persistent cookies are stored on the user’s computer and are not deleted when the browser is closed. Such cookies can retain user identities and preferences, allowing those preferences to be used in future browsing sessions.

BLOS is responsible for ensuring that its websites comply with the PECR and that, where necessary, appropriate information is disclosed to website users and consent is obtained from users before cookies are set.

16. Fair treatment

Fairness generally requires us to be transparent, i.e. clear at outset and open with individuals about why the information is being collected and how it will be used. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.

We aim to ensure that, in all cases, our consent and privacy statements will:

• Be clear, fair and not misleading;
• Explain the consequences of providing the required information;
• Explain how long the information will be kept for;
• Explain if the replies to questions are mandatory or voluntary;
• Explain if the information is to be anonymised and how;
• Explain if the information will be transferred overseas;
• Explain that if the information will be shared, who with and how they will use it;
• Explain how individuals may be contacted e.g. telephone, email, SMS, post;
• Explain the individual’s rights – e.g. they can obtain a copy of their personal information;
• Explain who to contact if they wish to know more information about how their information is held or to opt-out of receiving further information or if they need to complain; and
• Explain the individuals’ right to complain to the Information Commissioner’s Office.

We are responsible for ensuring that the following details are communicated to Members:

• The identity of the business or if appropriate, its nominated representative.
• The purpose(s) for which we intend to process the respondent’s personal information and if the information is to be shared or disclosed to other organisations. (so that the individual concerned can choose whether or not to enter into a relationship with the company sharing it).
• The process for anonymising the information prior to it being shared with the commissioning organisation.
• How customers can access the information held about them (as this may help them to spot inaccuracies or omissions in their records – see section 19).

17. Minimum amount of personal data

Under the principles of GDPR, we identify the minimum amount of personal data we need to properly fulfil our purpose. We ensure that we hold that much information, but nothing further. If we need to hold particular information about certain individuals, we only collect the information for those individuals and nothing more. We do not hold personal data on the off-chance that it might be useful in the future.

18. Accurate and kept up-to-date

We will:

• Take reasonable steps to ensure the accuracy of any personal information they obtain;
• Ensure that the source of any personal information is clear;
• Establish if the individual has challenged the accuracy of the information, this is evaluated and recorded carefully; and
• Consider whether it is necessary to update the information, particularly if the purpose relies on the information being current.

19. Subject access requests

A Data Subject has the right to see the information that we hold about them and can make a request to access this information.

In line with the GDPR, we will request certain information before responding to a request:

• Enough information to judge whether the person making the request is the individual to whom the personal information relates to avoid personal information about one individual being sent to another, accidentally or as a result of deception.
• Sufficient information that would reasonably be required to find the personal information amongst the records held by the company and covered by the request.
• Data Subjects must make a formal request for information we hold about them. This must be made in writing to us.
• In the event of a Data Subject making a subject access request via a third party, we will request written consent from the individual to confirm that the third party can request and receive information on the individual’s behalf.
• Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the Data Subject shall be informed.

Any Data Subject who makes a request is entitled to be:

• Told whether any personal information is held and being used;
• Given a description of the personal information, the reasons it is being processed, and whether it will be shared with any other organisations or individuals;
• Given a copy of the information; and
• Given details of the source of the information (where this is available).

20. Requests for information from law enforcement agencies

The General Data Protection Regulation includes exemptions, which allow personal information to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the information, and regardless of the purpose for which the information was originally gathered. We will release personal information to law enforcement agencies if required to do so.

21. Data security

We confirm that we have appropriate security measures in place to prevent personal information held being accidentally or deliberately compromised. In particular, we:

• Have designed and organised security to fit the nature of the personal information held and the harm that may result from a security breach;
• Are clear about everyone’s responsibility for ensuring information security;
• Make sure that the correct physical and technical security is in place, backed up by robust processes and procedures and reliable, well-trained staff; and
• Are ready to respond to any breach of security swiftly and effectively.

We recognise that information security breaches may cause real harm and distress to the individuals if their personal information is lost or abused (this is sometimes linked to identity fraud).

22. Outsourcing

We have procedures in place if we use third parties to process information to ensure that we:

• Only choose a data processor that provides sufficient guarantees about its security measures to protect the information and the processing it will carry out;
• Take reasonable steps to check that those security measures are working effectively in practice;
• Put in place a written contract setting out what the data processor is allowed to do with the personal information or business information; and
• Notify any data controllers with whom we are working, who the proposed data processor will be.

We require third parties to ensure that there are adequate security measures in place to secure the information that is being held.

23. Restrictions on transferring information to non-EEA countries

There are no restrictions on moving personal information within EEA countries. As we use cloud services, we know that personal information will be transferred outside the EEA. We are open and transparent with our clients and potential clients about where their information is processed and accessed.

We consider the following factors when deciding whether or not to transfer information overseas:

• The nature of the personal information being transferred.
• How the information will be used and for how long.
• The laws and practices of the country where information is being transferred to.

However we will ensure that the transfer is (one or more may apply):

• To a place that the EU has judged to provide adequate levels of protection for personal data;
• To a place that provides adequate safeguards under either an agreement with a public body, rules that bind companies or standard data protection clauses adopted by the EU or some other form of approved code of conduct approved by a supervisory authority or certification or other contractual clauses or regulatory provisions;
• Necessary for the performance of a contract between you and us or with a view to creating that contract;
• Made with your consent;
• Necessary for important public interest reasons, legal claims, to protect your vital interests.

24. Data loss

If personal information is accidentally lost, altered or destroyed, attempts to recover it will be made promptly to prevent any damage or distress to the individuals concerned. In this regard, we will consider the following:

• Containment and recovery – the response to the incident includes a recovery plan and, where necessary, procedures for damage limitation.
• Assessing the risks – assess any risks and adverse consequences associated with the breach, as these are likely to affect how the breach needs to be contained.
• Notification of breaches – informing the Information Commissioner’s Office or other relevant Supervising Authority as necessary (within 72 hours), law enforcement agencies, data controllers on whose behalf we are working and individuals (whose personal information is affected) about the security breach is an important part of managing the incident.
• Evaluation and response – it is important to investigate the causes of the breach, as well as, the effectiveness of controls to prevent future occurrence of similar incidents.
• Additionally, we will look to ensure that any weaknesses highlighted by the information breach are rectified as soon as possible to prevent a recurrence of the incident.

25. Data retention

To comply with information retention best practice, we establish standard retention periods for different categories of information, keeping in mind any professional rules or regulatory requirements that apply and ensuring that those retention periods are being applied in practice. Any personal information that is no longer required will either be archived or deleted in a secure manner.

Our retention periods for different categories of personal information are based on individual business needs and contractual obligations.

We understand the difference between permanently deleting a record and archiving it. If a record is archived or stored offline, it will reduce its availability and the risk of misuse or mistake. If it is appropriate to delete a record from a live system, we will also delete the record from any back-up of the information on that system, unless there are business reasons to retain back-ups or compensating controls in place.

26. Destruction of electronic records

All electronic files are destroyed by deletion and then the use of an electronic file shredder. This ensures that all electronic information is deleted permanently and cannot be recovered.

27. Secure disposal of records and computer equipment

Once the retention period expires or, if appropriate, the Member or business information is no longer required; paper records should be disposed of in a secure manner. All paper records containing membership or business information are disposed of by shredding. This includes all archived records.

All used computers, fax machines, printers and any other electronic equipment that may contain or that will have stored customer or corporate information in electronic format must be disposed of in an appropriate manner after the information has been completely wiped off. An external provider will be used to ensure that the memory on the devices is completely clean of information before the item is disposed of.

28. Training

We take our responsibilities with regards to ensuring training is undertaken seriously. We know that having policies and procedures in place provides a solid base for our training programme and we aim to undertake training in accordance with the role and seek specialist advice as and when required. All training is documented and reviewed regularly.

29. Data Protection Officer

We do not at this time meet the requirements for a dedicated Data Protection Officer but this is kept under review as the type of work and range of clients/respondent’s changes. We are committed to meeting the needs of the GDPR and if our business requires a DPO, we will seek to appoint one.

30. Review

This Policy will be reviewed periodically considering changing business priorities and practices and to consider any changes in legislation.