ABOUT THIS POLICY
- This is the “appropriate policy document” (as required by data protection law in certain jurisdictions) for DataFlow Services FZ-LLC (“DataFlow”, “we”) setting out how we will protect Criminal Convictions Data and Professional Malpractice Data.
- This policy supports DataFlow’s Data Protection Policies (including its policies on data classification, information security and data retention).
- This document meets the requirement of the UK’s Data Protection Act 2018 that an appropriate policy document be in place where Processing Criminal Convictions Data in certain circumstances.
DEFINITIONS
Controller: the person or organisation that determines when, why and how to Process Personal Data (for example DataFlow or another group company).
Criminal Convictions Data: personal data relating to criminal convictions and offences, including Personal Data relating to criminal allegations and proceedings.
Data Retention Policy: DataFlow’s policy on how the organisation classifies and manages the retention and disposal of its information.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of “Privacy by Design” and should be conducted for all major system or business change programmes involving the Processing of Personal Data.
DPA 2018: the UK Data Protection Act 2018 (as amended, updated or superseded from time to time).
GDPR: as applicable, the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018, or the UK GDPR (having the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018).
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably possess.
Privacy Notice: a separate notice setting out information that may be provided to Data Subjects when the organisation collects information about them.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Professional Malpractice Data: Personal Data revealing a Data Subject’s fraudulent records, misconduct records and/ or disciplinary action taken against a Data Subject.
WHY WE PROCESS CRIMINAL CONVICTIONS DATA AND PROFESSIONAL MALPRACTICE DATA
We process Criminal Convictions Data and Professional Malpractice Data for the following purposes, in the course of providing our services to our clients:
- conducting background screening on individuals;
- checking an applicants’ right to work in a country; and
- verifying that candidates are suitable for employment,
in order to expose forged academic degrees, employment certificates and practice licences, as well as fraudulent passports and work permits, on behalf of clients as part of our verification services to ensure that hired professionals have the qualifications they claim.
- PERSONAL DATA PROTECTION PRINCIPLES
The GDPR requires personal data to be processed in accordance with the six principles set out in Article 5(1). Article 5(2) requires controllers to be able to demonstrate compliance with Article 5(1).
We comply with the principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be:
- processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency);
- collected only for specified, explicit and legitimate purposes (Purpose Limitation);
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation);
- accurate and where necessary kept up to date (Accuracy);
- not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation); and
- Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
- COMPLIANCE WITH DATA PROTECTION PRINCIPLES
LAWFULNESS, FAIRNESS AND TRANSPARENCY
Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
We will only Process Personal Data fairly and lawfully and for specified purposes. The GDPR restricts our actions regarding Personal Data to specified lawful purposes. We can Process Criminal Convictions Data and Professional Malpractice Data only if we have a legal ground for Processing and one of the specific Processing conditions applies. We will identify and document the legal ground and specific Processing condition relied on for each Processing activity.
When collecting Criminal Convictions Data and Professional Malpractice Data from Data Subjects, either directly from Data Subjects or indirectly (for example from a third party or publicly available source), we will provide Data Subjects with a Privacy Notice setting out all the information required by the GDPR in a privacy notice which is concise, transparent, intelligible, easily accessible and in clear plain language which can be easily understood.
Lawful Processing basis | Processing condition |
Criminal Convictions Data Compliance with a legal obligation (Article 6(1)(c)).ORIn the organisation’s legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject. | Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the Controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.)Meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018 (such as preventing or detecting unlawful acts).(Paragraph 10(1), Schedule 1, DPA 2018.) |
Professional Malpractice Data Compliance with a legal obligation (Article 6(1)(c)).ORIn the organisation’s legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject. | Meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018 (such as protecting the public against dishonesty (Paragraph 11(1), Schedule 1, DPA 2018) or regulatory requirements relating to unlawful acts and dishonesty (Paragraph 12(1), Schedule 1, DPA 2018). |
PURPOSE LIMITATION
Personal Data must be collected only for specified, explicit and legitimate purposes. They must not be further Processed in any manner incompatible with those purposes.
We will only collect personal data for specified purposes and will inform Data Subjects what those purposes are in a published Privacy Notice. We will not use Personal Data for new, different or incompatible purposes from those disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have consented where necessary.
DATA MINIMISATION
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
We will only collect or disclose the minimum Personal Data required for the purpose for which the data is collected or disclosed. We will ensure that we do not collect excessive data and that the Personal Data collected is adequate and relevant for the intended purposes.
ACCURACY
Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
We will ensure that the Personal Data we hold and use is accurate, complete, kept up to date and relevant to the purpose for which it is collected by us. We check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. We take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
STORAGE LIMITATION
We only keep Personal Data in an identifiable form for as long as is necessary for the purposes for which it was collected, or where we have a legal obligation to do so. Once we no longer need Personal Data it shall be deleted or rendered permanently anonymous.
We maintain a Data Retention Policy and related procedures to ensure Personal Data is deleted after a reasonable time has elapsed for the purposes for which it was being held, unless we are legally required to retain that data for longer.
We will ensure Data Subjects are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice.
SECURITY, INTEGRITY, CONFIDENTIALITY
Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We will implement and maintain reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of or damage to Personal Data.
ACCOUNTABILITY PRINCIPLE
We are responsible for, and able to demonstrate compliance with these principles. Our Data Protection Officer (DPO) is responsible for ensuring that we are compliant with these principles. Any questions about this policy should be submitted to the DPO.
We will:
- Ensure that records are kept of all Personal Data Processing activities, and that these are provided to the Information Commissioner on request.
- Carry out a DPIA for any high-risk Personal Data Processing to understand how Processing may affect Data Subjects and consult the Information Commissioner if appropriate.
- Maintain a DPO to provide independent advice and monitoring of Personal Data handling, and ensure that it has access to report to the highest management level.
- Have internal processes to ensure that Personal Data is only collected, used or handled in a way that is compliant with data protection law.
- DATA’S POLICIES ON RETENTION AND ERASURE OF PERSONAL DATA
We take the security of Criminal Convictions Data and Professional Malpractice Data very seriously. We have administrative, physical and technical safeguards in place to protect Personal Data against unlawful or unauthorised Processing, or accidental loss or damage. We will ensure, where Criminal Convictions Data or Professional Malpractice Data are Processed that:
- The Processing is recorded, and the record sets out, where possible, a suitable time period for the safe and permanent erasure of the different categories of data in accordance with our Data Retention Policy.
- Where we no longer require Criminal Convictions Data or Professional Malpractice Data for the purpose for which it was collected, we will delete it or render it permanently anonymous as soon as possible. We generally hold Criminal Convictions Data or Professional Malpractice Data in the form it was supplied to our clients for 15 years from the date it was collected, on the basis that it is often required by our clients to support a malpractice investigation or similar proceedings which can occur in the medical industry many years after the original verification was carried out, and because individuals may move to work in different jurisdictions where the legislation may require the data to be held for these periods of time.
- Where records are destroyed we will ensure that they are safely and permanently disposed of.
Data Subjects receive a Privacy Notice setting out how their Personal Data will be handled when we first obtain their Personal Data, and this will include the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period. The Privacy Notice is also available on our website.
REVIEW
This policy on Processing Criminal Convictions Data and Professional Malpractice Data is reviewed bi-annually, or more frequently in the event of a change in the law.
The policy will be retained where we process Criminal Convictions Data and Professional Malpractice Data and for a period of at least six months after we stop carrying out such processing.
A copy of this policy will be provided to the Information Commissioner on request and free of charge.
For further information about our compliance with data protection law, please contact our Data Protection Officer at support@dataflowgroup.com.
Last updated: May 2021