Data Protection

Diamond is committed to protecting the privacy and security of the Personal Data that we collect and process.  This Policy sets out the way in which Diamond collects and processes Personal Data in order to ensure that we meet the expectations of our stakeholders and our obligations under the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR) and associated data protection legislation.

This Policy applies to all collecting and processing of Personal Data by all persons working for Diamond or on our behalf in any capacity, including Diamond Employees, joint appointees, seconded workers, collaborators, members of our advisory groups/committees, members of our review panels, students, volunteers, interns, agents, contractors (specifically including suppliers and casual and agency staff), external consultants and third-party representatives (“you”).

 

For the avoidance of doubt, this Policy only applies to you insofar as you may be working for or on behalf of Diamond.This Policy does not form part of any Diamond Employee’s contract of employment and may be subject to change at the discretion of Diamond.

This policy does not form part of any Diamond Employee’s contract of employment and may be subject to change at the discretion of Diamond.

Diamond’s Board of Directors have overall responsibility for this policy and have delegated the day-to-day responsibility for its operation to the Data Protection Officer. Any queries or suggestions relating to this policy should be sent to dataprotection@diamond.ac.uk.

 

The Data Protection Officer is responsible for overseeing this policy, monitoring internal compliance, advising on Diamond’s data protection obligations and acting as a point of contact for individuals and the Information Commissioner’s Officer (ICO).

1. 1. Privacy Notice;
2. 2. Information Security Policy;
3. 3. IT Acceptable Use Policy;

 All forms referred to within this document can be found on the Diamond website or Intranet

Processing means any action taken on an individual’s Personal Data including collecting, storing, organising, retrieving, using, disclosing, modifying or deleting that data. This can include collecting email addresses for mailing lists, staff management and payroll administration or posting a photo of a person on a website.

 

Processing includes both automated and manual processing.

 

Processing applies to all Personal Data regardless of where it is stored, whether it be in a database, on paper or video surveillance.

The processing of Personal Data by or on behalf of Diamond must comply and be in accordance with seven principles relating to the processing of Personal Data set out in the Data Protection Legislation, which require that Personal Data is:

 

Processed lawfully, fairly, and in a transparent manner, which means:

 

• Identifying valid reasons for collecting and using Personal Data
• Not do anything with the Personal Data that would be unlawful, or adverse to the individual concerned
• Only use Personal Data in a way that is fair
• Be clear and honest with individuals about how their Personal Data will be used
•  

Collected and used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes, which means:

 

• Clearly documented purposes for processing Personal Data
• Regularly review our processing and purposes
• Not use Personal Data for a new purpose if it is incompatible with the original purpose

 

Adequate, relevant and limited to what is necessary, which means:

 

• Only collect the Personal Data we actually need for our purposes
• Have sufficient Personal Data to properly fulfil these purposes

 

Accurate and, where necessary, up-to-date, which means:

• Taking all reasonable steps to ensure the Personal Data is correct
• Promptly correcting or erasing any incorrect Personal Data

 

Not kept for longer than is necessary, which means:

 

• Regularly reviewing what Personal Data held and why
• Careful consideration and justification have been given on how long Personal Data is kept for
• Securely deleting or destroying data no longer needed

 

Kept safe and secure using appropriate technical and organisational measures to protect the data, which means:

 

• Undertaken analysis of the Personal Data processed, any risks presented by the processing and put in place appropriate security and technical measures
• Ensuring that any security measures in place are being regularly reviewed, making any improvements as necessary
• Understand the requirements of confidentiality, integrity and availability for the Personal Data processed
• Reporting security breaches promptly so that they can be reported to the ICO within the 72-hour timeframe.

 

Diamond is accountable for how data is handled.

 

Stricter rules apply to the processing of Special Categories of Personal Data. This is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

The first data processing principle requires that Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the individual. You may only collect, process and share Personal Data fairly and lawfully and for specified purposes. This is important in order to ensure that we process Personal Data fairly and without adversely affecting the rights of individuals. The Data Protection Legislation only allows processing for the following specified lawful purposes:

 

Consent: The individual has given clear consent for Diamond to process their Personal Data for a specific purpose;

 

Contract: The processing is necessary for the performance of a contract Diamond has with the individual, or because they have asked Diamond to take specific steps before entering into a contract;

 

​​​​​​​Legal obligation: The processing is necessary for Diamond to comply with the law (not including contractual obligations);

 

​​​​​​​Vital interests: The processing is necessary to protect someone’s life;

 

​​​​​​​Public Interest: The processing is necessary for Diamond to perform a task in the public interest or for official functions, and the task has a clear basis in law; and

 

​​​​​​​​​​​​​​Legitimate interests: the processing is necessary for Diamond’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s Personal Data which overrides those legitimate interests.

 

Many of the lawful bases for processing Personal Data require that the processing is “necessary”. This does not mean that the processing must be essential, but it must be a targeted and proportionate way of achieving the purpose. If other less intrusive means can reasonably achieve the purpose, you should use them instead.

 

Before undertaking any new types of processing of Personal Data, including collecting Personal Data for a new purpose, you must complete a questionnaire to let us know what types of personal processing you will be processing and for what purposes. If the processing may result in a high risk to individuals you will be required to undertake a Data Protection Impact Assessment. These questionnaires and assessments help us to comply with our data protection obligations and meet the privacy expectations of individuals.

Guidance from Diamond on the processing of Personal Data and the Data Protection Legislation in general is available here and Privacy Notice is available here. Additional guidance will be provided as required.

 

If you still have questions on the processing of Personal Data at Diamond, please contact the Data Protection Officer at dataprotection@diamond.ac.uk.

 

The ICO, which is responsible for enforcing compliance with data protection legislation, has published helpful guidance on data protection on its website.

Awareness of this policy forms part of our induction and training process.

You are encouraged to raise concerns about any issue or suspicion that this policy is not being or has not been followed.

Any employee who breaches this Policy will face disciplinary action, which could result in dismissal for misconduct or gross misconduct. We may terminate our relationship with other individuals and organisations working on our behalf if they breach this policy.

At Diamond we understand that there are differences amongst our employees in terms of the protected characteristics contained within the Equality Act 2010. We therefore aim to deliver policies and services which are efficient and effective, accessible to all, and which meet our employees’ different needs. If you need any help to understand this document or require any appropriate support, please contact the Data Protection Officer.

This Policy will be kept under review and may be revised as considered appropriate. It will be the most recently published version of this policy that will apply if any issue arises which needs to be addressed under it.

For the purposes of this policy, the following definitions shall apply:

 

Data Protection Legislation: Data Protection Act 2018, the UK General Data Protection Regulation and all other legislation and regulatory requirements which apply to the use of Personal Data.

 

Data Protection Officer: Diamond’s General Counsel and Company Secretary.

 

​​​​​​​Data Subject: An individual who is the subject of Personal Data.

 

​​​​​​​Diamond: Diamond Light Source Limited, a company incorporated and registered in England and Wales, with company number 4375679 and with registered office at Diamond House, Harwell Science & Innovation Campus, Didcot, Oxfordshire, OX11 ODE, United Kingdom.

 

​​​​​​​Diamond Employee: Any person working for Diamond under a contract of employment. Herein referred to as ‘employee(s)’.

 

​​​​​​​Personal Data: Any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Categories of Personal Data and pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.

 

​​​​​​​Process/processing: Any activity that involves the use of Personal Data, including obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

 

​​​​​​​​​​​​​​Special Categories of Personal Data: Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.