A Guide To Protecting Personal Information for Response Teams
No matter where in the world you’re located, protecting personal information is a key requirement for response organizations and their teams. While this guide was born from the new EU data privacy law, GDPR, many other regions have strong data protection laws and this guide serves as best practice.
Over the last year, we have invested a lot of time preparing D4H for better data protection, but our efforts go well beyond making sure we’re ready for new laws - everything we do at D4H has moved to ‘privacy by design’.
Please note that while D4H has consulted with our legal firm regarding data protection and GDPR, D4H is not a legal firm. All information we provide regarding data protection and GDPR is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law.
How Does Good Data Protection Benefit Me?
While good data protection requires some effort, it can also lead to some big benefits for your response organization.
• Good data protection standards will help create a more trusting relationship between you and your community. It creates an atmosphere of discipline and respect around good information.
• Good data protection empowers your community and your own personnel to understand exactly what data is being collected and how it will be used. Data becomes a higher quality as it is clear what should be included or omitted.
• Since good data protection provides people with the right to easily specify and update consent, it should also lead to good written policies on data erasure (deleting data), retention (keeping data), and portability (ability to move systems).
Important data protection language to understand
Personal Data: Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. Your data subjects will be your personnel, patients, or members of the public you record identifying information about.
Data Controllers: The entity that determines the purposes, conditions, and means of the processing of personal data. Your organization/company is the Data Controller for your organization’s data.
Data Processors: The entity that processes data on behalf of the Data Controller. You will have many data processors, they might include external course providers, contractors, umbrella organizations, certification bodies, auditors, and your IT systems. In this context, D4H Technologies would be a data processor as we process data on behalf of our customers.
- Data Subjects: a natural person whose personal data is processed by a controller or processor
Ten Areas For Response Organizations
1- Becoming Aware of Data Protection: It is imperative that key personnel in your organization are aware the laws. Start to identify areas of information that could cause compliance problems.
• Is the information you record about your own personnel appropriate?
• If the information is not required for them to undertake their role, do you have their consent to record it?
• What personal information do you share within your organization?
• Do you record patient information?
• Do you collect information about children or minors?
• Do you record any health, criminal, offense-related, or special category data?
2- Becoming Accountable: You must document the ways in which each category of data you record complies with data protection principles.
• Do you have a lawful basis for all the information you raised? There is 6 lawful basIs you can assign, including legitimate interest, legal obligation, contract, public task, vital interests, or consent.
• Make an inventory of all personal data and document why are you holding it? How did you obtain it? How secure is it? How long will you retain it?
3- Communicating with Personnel: Decide how you will train and make aware your staff, personnel, membership, and services users of your data protection policies.
• Before collecting information, you may have to add your clear identification, policy documents, or explicit consent checkboxes to forms.
• Ensure that your policies are provided in concise, easy to understand and clear language.
• Organize ongoing training for your personnel so they understand your policies and their responsibilities.
4- Personal Privacy Rights: You should review your procedures to ensure they cover all the rights individuals have
• Have you an easy way to delete personal data if requested?
• Can you provide personal data electronically and in a portable machine readable format such as CSV?
• Can you easily correct inaccuracies everywhere?
5- How do you answer data access requests? You should review and update your procedures and plan how you will handle requests within the new timescales.
• How would your organisation react if it received a request from a data subject wishing to exercise their rights?
• It could ultimately save your organization a great deal of administrative cost if you can use systems that allow people to access their information easily online.
6- Confirm if you have a ‘Legal Basis for collecting data: All organizations need to carefully consider how much personal data they gather, and why.
• For government departments and agencies, there can be a significant reduction in the number of legal bases they may rely on when processing data.
• All organizations need to carefully consider how much personal data they gather, and why. If any categories can be discontinued, do so.
• For the data that remains, consider whether it needs to be kept in its raw format, and how quickly you can begin the process of anonymization and pseudonymization.
7- Using consent as a grounds to process data: If you do use consent when you record personal data, you should review how you seek, obtain and record that consent, and whether you need to make any changes.
• This is most likely to relate to charities or other response organizations who keep email or marketing lists. Consent to communicate directly with the person using their personal data may require consent.
8- Processing Children’s Data: Ensure that you have adequate systems in place to verify individual ages and gather consent from guardians.
• Do you store any personal data of casualties, victims, or members of the public who are under 18 years of age? While this may be covered by health processing rules, and have lawful basis, consider it.
• Have you any members of staff or personnel who are under 18 which you need to make special provision for?
9- Data Protection Impact Assessments (DPIA): A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them.
• DPIA should be mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons.”
• This is particularly relevant when a new data processing technology is being introduced.
• In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still good practice
You can access our template for Data Protection Impact Assessment (DPIA) for Emergency Response Teams.
10- Reporting data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
• Have you defined a dedicated person for your personnel to report breaches to?
• Do your personnel know what a breach looks like?
D4H Privacy By Design
D4H Technologies aims to make managing your response organization’s data as easy as possible. To ensure that this is the case we provide tools that help you compliantly manage the personal data of your organization from start to finish. These tools will enable you to meet your obligations.
D4H And Your Legal Basis
It is likely the collection of personal data of your personnel function relies on the lawful basis of ‘performance of a contract’ and ‘compliance with a legal obligation’.
We developed these tools to help you act within your legal basis.
User Sign-In Terms
In [Settings] you can now define user sign-in terms. Your users must agree to these terms you set before storing or accessing any data within D4H Personnel & Training. A screen will show you everyone who has signed the terms, and who still hasn’t.
D4H For Data Controllers
D4H Technologies is a data processor and as such we do not and cannot determine the lawful basis for processing customer data on behalf of customers. However, we do allow for customers to customize the data that they collect. Since customers determine what data is collected about each member of their personnel, it is up to the customer to determine the lawful bases for processing a members personal data.
Rather than dictate the data you store, we allow you to add your own custom fields to members profiles as you choose. This gives you the full control over what is included on members profile and what is not.
Private Custom Fields
Custom fields may be set as private or shared with the team. Private fields will have restricted display permissions to other members.
Custom Contact Fields
Our built-in contact information fields (e.g. phone numbers, home address etc.) all have customizable levels of data collection. They may each be customized as Shared, Private, or Disabled.
Disable Identifying Information
By default, our Persons Involved records include Name, Date of Birth, and Contact Details. Depending on what other data you are collecting about the person involved and your organizational policies, you may choose to make these anonymous by turning off Identifying Information in Settings.
D4H And The Right to be Forgotten
Also known as Data Erasure, it entitles your data subjects to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data. The general rule for keeping any personal data is “no longer than is necessary for the purposes for which the personal data are processed.” As this does not specify a maximum time period it is the responsibility of the data controller to determine the appropriate time period for retaining data.
We’ve got you covered with these tools:
Permanently Delete Members
Members are by default sent to a trash-can area when deleted, which allows you to reinstate them if needed. You also have the option to Permanently delete a member. This function not only deletes their profile record but it also deletes their entire history with the organization. All attendance data is removed from published activities, all qualification data current and historic is removed, all profile data fields as emptied.
As we use a common field for a members name, it is possible to update their ‘Name’ field to ‘Name Hidden’ in just one single location to Pseudonymize them everywhere in past and present data records.
Permanently Delete Field Data
If you have created a data field category which later provides compliance difficulties, you are able to single-click delete it and all its data everywhere.
Browse your members by Retired Date to see how long you’ve held their data after they’ve finished with your organization. Your contract with your members should state the retention period for which you hold their data. We’ve also added an ‘All Member Data’ export in a machine-readable format which will give you a CSV file of all your collected personal data of past and present members which can be used for bulk operations in your preferred spreadsheet editor.
D4H And Individual Rights Requests
Good data protection extends the data subjects right to access, rectification, deletion. How will D4H help with these rights requests?
In many jurisdictions, but especially EU citizens under GDPR, will now have the right to know which personal data an organization is processing about them; to restrict the processing of personal data; to correct incomplete or inaccurate personal data; to have their personal data deleted; to object to their data being used for certain purposes; or to have their data in a format that they may share with another organization.
Response organizations will need to be prepared to respond to individual rights requests from personnel in a timely manner. As a processor, D4H Technologies will support customers responding to an individual rights request via appropriate technical and organizational measures.
With D4H, it is already possible for data subjects to easily and quickly update their own details where applicable. For other individual rights requests, D4H will assist customers on a case-by-case basis to respond.
Member Editable Fields
Custom fields added on a members profile may be set as ‘Editable By Member’ themselves when the field is created. This all Data Subjects a chance to update their own details where applicable.
D4H And Data Security
How can D4H help customers securely process personal data? Data controllers are obligated to work with processors who can provide sufficient guarantees that they will implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Data security measures should, at a minimum, allow:
• Pseudonymization or encrypting personal data. D4H Personnel & Training and D4H Incident Reporting encrypts all data at rest and during transit.
• Maintaining ongoing confidentiality, integrity, availability, access, and resilience of processing systems and services. D4H is a managed and monitored service. Our engineers are constantly ensuring the system is available and operating as normal.
• Restoring the availability of and access to personal data, in the event of a physical or technical security breach. We keep real-time mirroring of data between multiple availability zones within the data centers. Our data store uses a hot-standby system which will automatically failover as required. All data has a 35-day point-in-time recovery.
• Testing and evaluating the effectiveness of technical and organization measures. D4H has been committed to data security from the very start and will continue to be. D4H is deployed using the Amazon Web Services platform and data centers. We take advantage of the extensive security options available on AWS to give you confidence that the highest standards and best practices are maintained. Amazon Web Services meets international, regional, and industry-specific compliance standards, such as ISO 27001, EU-U.S. Privacy Shield Framework, SOC 1, and SOC 2.
• Data Processing Agreements For Existing Customers If you are an existing customer located in the EU or another jurisdiction that requires a Data Processing Amendment to your Service Agreement with us, please contact our commercial team through the help desk <[email protected]>.