{"id":651,"date":"2025-09-16T20:09:13","date_gmt":"2025-09-16T19:09:13","guid":{"rendered":"https:\/\/odonodesign.com\/blog\/?page_id=651"},"modified":"2025-09-16T20:21:11","modified_gmt":"2025-09-16T19:21:11","slug":"gdpr-policy","status":"publish","type":"page","link":"https:\/\/odonodesign.com\/blog\/gdpr-policy\/","title":{"rendered":"GDPR Policy"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"overview\">1.&nbsp;Overview<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"introduction\">1.1&nbsp;Introduction<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">1.1.2 The UK General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (together referred to as \u201cData Protection Legislation\u201d) regulate the processing of personal data and protect the rights of the data subject.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1.1.3 As odonodesign processes personal data, we are registered as a data controller (Registration Number Z7261665) with the Information Commissioner\u2019s Office (\u201cICO\u201d). This means we are responsible for deciding how we hold and use personal data. In certain circumstances, we may act as a joint data controller (please refer to section 2.5 Purposes of Processing, which refers to SLC\u2019s Privacy Notices for more detail).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1.1.4 Data Protection Legislation imposes restrictions on how we obtain, handle, store, destroy and process personal data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"scope\">1.2&nbsp;Scope<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">1.2.1 This Policy applies to all data subjects in relation to whom SLC holds or has received personal data in order to carry out SLC functions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"risk-appetite-alignment\">1.3&nbsp;Risk Appetite Alignment<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">1.3.1 The requirements of this Policy support the mitigation of risks within the Security risk category outlined in the SLC risk language.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1.3.2 Compliance with Policy requirements ensures that SLC continues to operate within its risk appetite, which is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cautious appetite towards Security risks arising from a failure to prevent unauthorised and\/or inappropriate access to the estate and information, including cyber security and non-compliance with Data Protection Act 2018 requirements.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">1.3.3 A number of scenarios where a more granular risk tolerance applies are defined in the Security and Information Risk Appetite Statement, representing a greater or lesser appetite for risks posed by a specific system, process or asset.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"status-of-policy\">1.4&nbsp;Status of Policy<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">1.4.1 This Policy sets out SLC\u2019s rules on data protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, and destruction of personal data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1.4.2 SLC\u2019s designated Data Protection Officer (DPO) is responsible for monitoring compliance with Data Protection Legislation and this Policy. Any questions or concerns about the operation of this Policy should be referred in the first instance to the DP Office (please refer to section 9 below for contact details).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1.4.3If you consider this Policy has not been complied with, then you should raise the matter with SLC\u2019s DP Office at&nbsp;<a href=\"mailto:DPO@slc.co.uk\" class=\"govuk-link\">DPO@slc.co.uk<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"data-protection-legislation\">2.&nbsp;Data Protection Legislation<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"background\">2.1&nbsp;Background<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">2.1.1 Data Protection Legislation regulates the processing of personal data in order to protect the interests of the data subject.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2.1.2 This covers many data protection issues in detail and therefore you may find that guidance covering some aspects of data protection are set out in more detail in separate SLC policies and guidelines referred to within this Policy.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"definitions\">2.2&nbsp;Definitions<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">2.2.1 There are a number of key definitions used within Data Protection Legislation that are essential to understanding this Policy and SLC\u2019s obligations under Data Protection Legislation.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u201cdata\u201d<\/strong>&nbsp;\u2013 means information held electronically (eg. computers, personal organisers, laptops), manually or in paper form as part of a filing system.<\/li>\n\n\n\n<li>A&nbsp;<strong>\u201cfiling system\u201d<\/strong>&nbsp;means any structured set of personal data accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.<\/li>\n\n\n\n<li><strong>\u201cpersonal data\u201d<\/strong>&nbsp;\u2013 means any information relating to an identified or identifiable natural person (\u2018data subject\u2019). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Examples of personal data include name, telephone number, age, qualifications and employment history.<\/li>\n\n\n\n<li><strong>\u201cdata controller\u201d<\/strong>&nbsp;\u2013 means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. \u2022<\/li>\n\n\n\n<li><strong>\u201cdata processor\u201d<\/strong>&nbsp;\u2013 means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.<\/li>\n\n\n\n<li><strong>\u201cdata protection officer\u201d<\/strong>&nbsp;&#8211; the individual whose primary role is to ensure that their organisation processes the personal data of its employees, customers, providers or any other data subjects in compliance with the applicable Data Protection Legislation.<\/li>\n\n\n\n<li><strong>\u201cdata subject\u201d<\/strong>&nbsp;\u2013 means an identified or identifiable natural person. Data subjects may include employees, contractors, customers, job applicants, candidates and suppliers; and the data processed may relate to present, past and prospective data subjects.<\/li>\n\n\n\n<li><strong>\u201cprocessing\u201d<\/strong>&nbsp;\u2013 means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. \u201cProcess\u201d and \u201cprocessed\u201d will be construed accordingly.<\/li>\n\n\n\n<li><strong>\u201cspecial category data\u201d<\/strong>&nbsp;\u2013 means racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person\u2019s sex life or sexual orientation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"data-protection-principles\">2.3&nbsp;Data Protection Principles<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">2.3.1 SLC has a duty to ensure that all personal data (however collected) is processed in accordance with the below data protection principles, as detailed in Data Protection Legislation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2.3.2 Personal data must be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>processed lawfully, fairly and in a transparent manner in relation to the data subject (\u2018lawfulness, fairness and transparency\u2019);<\/li>\n\n\n\n<li>collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (\u2018purpose limitation\u2019);<\/li>\n\n\n\n<li>adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (\u2018data minimisation\u2019);<\/li>\n\n\n\n<li>accurate and, where necessary, be kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay (\u2018accuracy\u2019);<\/li>\n\n\n\n<li>kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (\u2018storage limitation\u2019); and<\/li>\n\n\n\n<li>processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (\u2018integrity and confidentiality\u2019)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"special-category-criminal-convictions-data-and-slc-sensitive-information\">2.4&nbsp;Special Category, Criminal Convictions Data and SLC Sensitive Information<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">2.4.1 SLC employees may in certain circumstances become privy to special category and criminal convictions data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2.4.2 Data Protection Legislation states that special category data should only be collected, processed, or disclosed in very specific circumstances eg. explicit consent, as it is recognised that the processing of this data may create significant risks to the data subject\u2019s rights and freedoms.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2.4.3 Criminal record data is not special category data, it does however have protections under Data Protection Legislation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2.4.4 SLC Sensitive Information &#8211; SLC may also store and process sensitive information, not meeting the definition of special category data, but it is deemed sensitive and therefore requires additional handling arrangements. For example, bank and financial details and interview transcripts.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>1.&nbsp;Overview 1.1&nbsp;Introduction 1.1.2 The UK General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (together referred to as \u201cData Protection Legislation\u201d) regulate the processing of personal data and protect the rights of the data subject. 1.1.3 As odonodesign processes personal data, we are registered as a data controller (Registration Number Z7261665) with [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-651","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/odonodesign.com\/blog\/wp-json\/wp\/v2\/pages\/651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/odonodesign.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/odonodesign.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/odonodesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/odonodesign.com\/blog\/wp-json\/wp\/v2\/comments?post=651"}],"version-history":[{"count":2,"href":"https:\/\/odonodesign.com\/blog\/wp-json\/wp\/v2\/pages\/651\/revisions"}],"predecessor-version":[{"id":656,"href":"https:\/\/odonodesign.com\/blog\/wp-json\/wp\/v2\/pages\/651\/revisions\/656"}],"wp:attachment":[{"href":"https:\/\/odonodesign.com\/blog\/wp-json\/wp\/v2\/media?parent=651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}