Data Protection Policy
Classification: Public
This document may be shared with interested parties outside of the SureScreen Group of companies.
| Version | Approved By | Owner | Date Last Updated | Review Frequency | Next Review | Comments |
| 1 | Troy Whyte | George Marshall | 17/07/2025 | Annually | 17/07/2026 |
Contents
3. Data Protection Principles 2
5. Lawful, Fair & Transparent Processing 2
11. Breaches of Personal Data 3
Purpose of This Document
This policy outlines how the ‘SureScreen Group’ (consisting of SureScreen Diagnostics, SureScreen Scientifics, SureScreen Materials and SureScreen Health) will;
- Protect, process and store any personal data it handles on behalf of employees, signatories or customers.
- Comply with Data Protection legislation, including, but not limited to, the UK’s Data Protection Act and the UK and EU General Data Protection Regulations and use these as a benchmark of personal data protection guidance for data globally.
Definitions & Scope
Personal data is defined as any information relating to an identified or identifiable natural living person and may include;
- names of individuals
- postal addresses
- email addresses
- telephone numbers
- photos
- any other information relating to individuals
DPA or GDPR does not cover anonymised data if the data cannot be reverse engineered to identify the subject.
Some information is highly sensitive and should be afforded greater protection, including;
- Race or ethnic origin
- Political opinions;
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric ID data
- Health data
- Sexual life or sexual orientation
- Criminal data (convictions and offences)
Within the policy, the term “Responsible Person” means the person within the organisation who owns the business process and processes the data.
Data Protection Principles
Personal Data must be;
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.”
General Provisions
- This policy applies to all personal data the SureScreen Group processes, including staff, consultants, signatories, and others.
- The data owners within the SureScreen Group shall be responsible for ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
- The SureScreen Group of companies shall register individually with the Information Commissioner’s Office as an organisation that processes personal data.
- The SureScreen Group shall check annually on identifying and appointing a Data Protection Officer.
Lawful, Fair & Transparent Processing
- To ensure its data processing is lawful, fair and transparent, the SureScreen Group shall maintain a Register of Systems processing personal data.
- The Register of Systems shall be reviewed at least annually.
- Individuals have the right to access their data, and any requests to the SureScreen Group shall be handled promptly.
Lawful Purpose
- All data processed by the SureScreen Group must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
- The SureScreen Group shall record the lawful basis, if necessary.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available, and systems should be in place to ensure such revocation is reflected accurately in the SureScreen Group ‘s systems.
Data Minimisation
- The SureScreen Group shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy
- The SureScreen Group shall take reasonable steps to ensure accurate personal data.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
Archiving & Removal
- To ensure that personal data is kept for no longer than necessary, the SureScreen Group shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
- The archiving policy shall consider what data should/must be retained, for how long, and why.
Security
- The SureScreen Group shall ensure that personal data is stored securely using modern, up-to-date software.
- Access to personal data shall be limited to personnel who need access, and appropriate security should be in place to avoid unauthorised information sharing.
- When personal data is deleted, this should be done safely so that the data is irrecoverable.
- Appropriate backup and disaster recovery solutions shall be in place.
Breaches of Personal Data
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the SureScreen Group shall promptly;
- Report the breach to the IT Service Desk team as quickly as possible so that they may support controlling the data breach.
- Report the breach to their line manager, who will assist with the impact assessment and oversight.
- Report the breach to the DPO for any breaches of staff data.
- Assess the risk to people’s rights and freedoms and, if appropriate, report this breach to the ICO (more information on the ICO website). Do not report the breach to the ICO without a Line Manager’s approval and assessment.