All staff, subcontractors and volunteers have a duty to make sure that they comply with the data protection principles contained in the 2018 Data Protection Act and GDPR, which are set out in iERA’s Data Protection and Privacy Policy.
Every person working for, with or on behalf of iERA must adhere to the following
principles when dealing with personal data. Personal data must only be:
- Processed lawfully, fairly and in a transparent manner in relation to the subject
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed
- Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures
A data protection breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Any employee, servant, agent of iERA or any volunteer working with IERA who becomes aware of a data protection breach or a possible data protection breach is required to inform the data protection manager (Karen Chiu) as soon as possible.
- On becoming aware of a breach, iERA as controller is obliged to inform the regulator within 72 hours. Data subjects must be informed of any breach affecting their personal data within 5 days unless iERA is able to demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects.