Every person working for, with or on behalf of iERA must adhere to the following
principles when dealing with personal data. Personal data must only be:
- Processed lawfully, fairly and in a transparent manner in relation to the subject
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed
- Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures
A data protection breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Any employee, servant, agent of iERA or any volunteer working with IERA who becomes aware of a data protection breach or a possible data protection breach is required to inform the data protection manager (Karen Chiu) as soon as possible.
- On becoming aware of a breach, iERA as controller is obliged to inform the regulator within 72 hours. Data subjects must be informed of any breach affecting their personal data within 5 days unless iERA is able to demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects.