General Data Protection Regulation (2018)

We are totally committed to protecting your privacy. Any information we collect about you is done so in accordance with the Data Protection Act (1998) and the General Data Protection Regulation (GDPR) 2018. We collect information about you for two reasons: firstly, to provide you with a service and secondly, to provide you with the best possible service.

We will never collect sensitive information about you without your explicit consent. The information we hold will be accurate and up to date. You can check the information that we hold about you by emailing us at If you find any inaccuracies we will delete or correct it promptly. The personal information which we hold will be held securely in accordance with our Internal Security Policy and the Web Trader Code. If we intend to transfer your information outside the EEA (European Economic Area) we will always obtain your consent first.

We don’t share your information without your explicit consent. We may use technology to track the patterns of behaviour of visitors to our website. This can include using a “cookie” which would be stored on your browser. You can usually modify your browser to prevent this happening. The information collected in this way can be used to identify you unless you modify your browser settings. If you have any questions/comments about privacy, you should contact us.

  • The GDPR is applied to organisations that are either controllers of data or those processing data. As in the current data protection act we are classed as a controller. We are responsible for how and why personal data is processed and as processors, our staff and associates are responsible to act on our behalf. However, in the GDPR processors now have a specific legal obligation to maintain records on what personal data they are processing and their processing activities. Therefore, under GDPR both the controller and processor now have defined legal responsibilities.
  • There has been a lot in the press about the scale of the fines that can be levied against organisations. Whilst true, they are mainly referring to large corporations, however the Information Commissioner’s Office (ICO) do fine companies and charities for which we are aware.
  • In the GDPR, personal data has been redefined and now covers a much wider scope, including new areas such as IP addresses, CCTV and biometrics. The GDPR also covers a ‘special’ category of personal data, referred to as sensitive data and may only be processed within a limited number of circumstances. The principles that underpin the GDPR are ones that we would all hope that people will carry out with our own data. From Article 5, personal data shall be (paraphrased):
  1. Processed lawfully, fairly and in a transparent manner;
  2. Collected for specified, explicit and legitimate purposes;
  3. Adequate, relevant and limited to what is necessary;
  4. Accurate and, where necessary, kept up to date;
  5. Kept for no longer than is necessary;
  6. Processed in a manner that ensures appropriate security of the personal data.
  • Buried in these principles are some very important new requirements. For example, Informed consent. The information on which we gain consent is informative, unambiguous, and given freely. In addition, consent can be withdrawn. Data from children (under 16) requires authorisation from a parent or guardian, and as a controller and/or processor we make all reasonable efforts to obtain this.
  • There are also now a number of rights of the individual:
  1. Right to be informed: we must provide ‘fair processing of information'.
  2. Right to Access: confirmation that your data is being processed.
  3. Access to your personal data; and other supplementary information.
  4. Right to rectification: you can correct incorrect information.
  5. Right to erasure: that is to be forgotten.
  6. Right to restriction of processing: we can store but not process your data
  7. Right to portability: to take and reuse your personal data across a range of services.
  8. Right to object.
  9. Right to decision making: you can object if you are not in the loop on a decision about you.
  • As part of the GDPR, we must undertake Data Protection Impact Assessments (DPIA). The DPIA identifies the specific risks to personal data as a result of processing activity and must be undertaken whenever there is a change in processes, technology, or new activity within our organisation.
  • There are two interrelated processes required for the implementation of the GDPR.
  1. Design of systems and processes which secure your data.
  2. Design of systems and processes, which ensure that your data is managed properly.
  • What’s the current legal framework?
    The Data Protection Act 1998. This was superseded by the General Data Protection Regulation (GDPR) which came into force on 25th May, 2018.
  • What’s the significance of GDPR?
    It’s not in fact a huge departure from the Data Protection Act; rather it updates and adds to the existing framework.
  • The major changes are:
  1. Requirements for consent are more rigorous
    Consent is a very hot topic, especially within organisations such as Wheel of Health Limited. The GDPR seeks to ensure that consent is given and given freely, which means the subject must have a choice and isn’t forced to give unnecessary details in the process of undertaking Wheel of Health business. Consent must be informed and specific, with clarity on how to opt in and out, and about how the data will be used. Lastly, a subject must actively confirm that they provide consent. As noted above, in the event that individuals do not have capacity to provide their consent, consent can be given by their advocate.
  2. Requirement to delete data at the subject’s request
    GDPR implementation will bring with it the ‘right to be forgotten’ and the ‘right to object’. All organisations must understand these rights and have processes in place to react to subjects invoking their rights, including, but not limited to, removing their consent and securely deleting their data.
  3. Requirement to notify authorities within 72 hours of any data breach
    There will be a requirement of all organisations to report any personal data breach to the relevant authorities and, in some cases, to the individuals affected by the breach. The requirement to notify is for breaches that may result in a risk to the rights and freedoms of individuals and this includes events that, for example, may lead to financial loss, discrimination or loss of confidentiality. This means you will need to think carefully about how you store data.
  4. Increased fines for failure to comply
    There are two tiers of fines: 2% of total annual turnover or €10 million (whichever is higher) and, for the more serious infringements, 4% of annual turnover or €20 million (again, whichever is higher).
  • GDPR will apply to all organisations, no matter where they are based and their size, if they offer goods or services (even if free) to individuals in the EU. In addition, despite Brexit, the ICO have confirmed that they are likely to implement similar rules after we have left the EU, to allow the United Kingdom to operate on a level playing field with the continent. All organisations should plan for, and be ready to comply with, the GDPR.

    An Introduction

  • The Data Protection Act (DPA) places obligations on those who process information (data controllers) while giving rights to those who are the subject of that data (data subjects). Personal information covers both facts and opinions about the individual.
  • Data Protection applies to all information we hold in computerised form and also to non-computerised form, held in filing systems structured so that specific information about particular individuals can be readily retrieved. Access to records of deceased individuals still falls within the scope of the Access to Health Records Act 1990.
  • The Data Protection Act 1998 contains eight Data Protection Principles. These are:
  1. Data must be processed fairly and lawfully.
  2. Personal data shall be obtained only for one or more specific and lawful purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
  4. Personal data shall be accurate and where necessary kept up to date.
  5. Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose.
  6. Personal data shall be processed in accordance with the rights of data subjects under the 1998 Data Protection Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  9. The ICO will accept an organisation complying with Cyber Essentials as meeting the requirement for securing personal data. Cyber Essentials is a scheme developed by the UK Government (with advice from GCHQ) and industry to give a clear statement of the basic controls to mitigate against internet based threats.
  10. The Information Assurance for Small and Medium Enterprises (IASME) Governance standard was developed in order to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001. IASME Gold has been used by many organisations to demonstrate that they have the systems and processes, which ensure that data is managed properly. Included in this standard is the assessment against the GDPR requirements, enables companies to say they are GDPR READY.
  • The Information Commissioner’s Office (ICO) has specific responsibilities for the promotion and enforcement of the DPA. Under the DPA, the Information Commissioner (IC) may, (1) Serve information notices requiring data controllers to supply the ICO with the information needed to assess compliance. (2) Where there has been a breach, serve an enforcement notice which requires data controllers to take specified steps or to stop taking steps in order to comply with the law.
  • The Company Data Protection lead is Simon Weech, Director.
    Access to personal data is your right under the Data Protection Act. Any request for access to data must be made in writing to:
    Wheel of Health Limited
    17 Monks Wood Close
    SO16 3TT
  • The GDPR is a European-wide regulation that came into force on 25 May 2018. The legislation is designed to protect people’s personal data from being stolen or exploited by companies. Central to the new regulation is the idea of keeping people’s personal data safe and accurate, obtaining consent to collect it, and having a business purpose to hold on to it. Current data-protection legislation goes some way towards this, but the GDPR goes further.
  • What is personal data?
    Personal data is any information that can be used to identify an individual, such as name, postal address, email address, date of birth, gender, National Insurance number, NHS number, bank details, credit card details and so on. Often it is information that will be collected as part of marketing activity or held about customers that you’ve worked with. Some personal data is classified as sensitive and requires particularly careful handling. This includes data on an individual’s ethnicity, religion, political affiliation, sexual orientation, trade union membership, previous criminal convictions, biometric data (such as fingerprints or eye scans), physical or mental health.
  • The GDPR broadens out the definition of personal data from the existing Data Protection Act. It now includes almost any information that can be used to identify an individual when combined with other elements of personal data. For example, items such as IP addresses (for individual computers) or physical records, such as business cards, record cards and manual filing systems, can now be classed as personal data. Also, businesses that use fingerprint recognition to gain access to a building or a locker (as in a gym) will also be subject to the regulations.
  • Why does any of this matter?
    There are large fines for failing to comply with the collection and management of data as specified by the GDPR.
  • Will this still apply after Brexit?
    Yes. Brexit will not stop UK businesses having to comply with the new regulations – the UK is still be part of the EU. The GDPR will continue to apply until it is specifically repealed or overtaken by new legislation.
  • What are the new areas of regulation?
  1. Accountability:
    The GDPR contains a principle of accountability for all businesses that collect personal data (controllers) and process it (processors). Our business is accountable for the data it collects and processes. In practice, this means we must provide evidence of complying with the GDPR in the form of documented policies and procedures to deal with collecting and processing of personal data. We document what personal data we hold, what we do with it, and if we share it with any other organisations: who, what and why. Our business will be held responsible for the accuracy of the data we hold. This means checking that it’s up to date. If we share data and it turns out to be inaccurate, it’s up to us to contact other organisations we shared it with, to get it updated.
  2. Breach notification:
    Under GDPR, we must report any significant personal-data breaches within 72 hours of discovery to the relevant authority – in the UK, that’s the Information Commissioner’s Office (ICO). In the most serious cases we must report it to the individuals concerned too. The ICO defines a personal data breach as ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ This means that a breach is more than just losing personal data.
  3. Collecting data and privacy notices:
    Under current legislation, before we collect any personal data, we need to give you information about:
    1. Who we are.
    2. Why we are collecting your data.
    3. How we will use the information.
    4. Whether we will share it with any third parties.

    This information is usually shared in a privacy notice, which often takes the form of a few lines of text near a tick box, to allow clients to give their consent. Under the GDPR we have updated our privacy notice. As well we explain the following points:
    1. Our lawful basis for processing the data.
    2. For how long we keep the data.
    3. You individual’s right to complain to us and the ICO if you think there’s a problem with how we’re handling your data.

    The GDPR emphasises the need for clear, transparent communication. It says the information we supply about the processing of personal data must be:
    1. Concise.
    2. Transparent.
    3. Intelligible.
    4. Easily Accessible.
    5. Written in clear and plain language, particularly if addressed to a child.
    6. and Free of Charge.
  • Data transfer?
    The GDPR imposes restrictions on us transferring data outside the EU.
  • Individuals’ rights?
    Many of your individual rights are similar to the Data Protection Act. People have the right to request access to any personal data you hold on them, under a subject access request. Under the GDPR we provide this free of charge, if it is a ‘reasonable’ request i.e. not one that has been made repeatedly and not for volumes of information that it would be impossible to produce within the time allowed. The deadline for us to provide the information has also been reduced to 30 days. You have the right to object to how we use your data. If we process data for direct marketing, we will stop using your data as soon as you receive an objection, until either the objection is resolved, or your data is removed. You have the right to request that we delete your personal data if:
  1. It’s no longer needed for the purpose it was originally collected or processed.
  2. You formally object to it being used and there’s no overriding legitimate reason for us to continue using it
  3. It was processed unlawfully (in breach of the GDPR)
  4. There is a legal need to erase it.
  • Data Retention
    A data retention policy is a requirement of the GDPR. If you wish to know more information on how long we retain data please get in touch with us.
  • Right to withhold Personal Data:
    Under the GDPR, Wheel of Health can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others. We will take any necessary legal advice if we are proposing to withhold information on this basis, as Wheel of Health will need to carefully consider its applicability and its use which should not act to result in a refusal to provide all information.
  • How should the information be given to the applicant?
    Any person making a subject access request (SAR) only has the right to see their own personal data, rather than a right to see copies of the documents that contain their personal data. Often, the easiest way to provide the relevant information is for us to supply copies of original documents, but we are not obliged to do this. Once the personal data that is relevant to the request has been located and retrieved, we will communicate the data in an intelligible form.
  • The End of Passive Consent
    One of the most significant impacts of the GDPR is the strengthened requirement for getting consent to hold and process your data. Previously, consent was defined as any freely given specific and informed indication of their wishes. In practice companies often relied upon the person’s failure to opt out as evidence of his consent.
  • The GDPR now requires a positive, unambiguous, affirmative action. Anything less won’t be acceptable. A ticked box will still work (not a pre-ticked box!), as will an active opt in.
  • Consent must be capable of being withdrawn at any time.
  • As a Data Controller we must now capture each consent, together with the version of the privacy notice that accompanied the consent, and hold it on file. If only partial consent is given, the system must be capable of screening out any unauthorised use.
  • ‘Grandfather’ consents won’t be allowed, so any existing consents that don’t meet GDPR requirements won’t be valid after May 2018 and will be re- acquired.
  • Consents which depend on services which are conditional on the giving of consents will not be valid.
  • Legitimate Interests
    As the consent rules become more stringent companies are likely to want to consider whether they can capture the data under the banner of legitimate interests. GDPR does allow legitimate interest processing but the tests are more stringent than before.
  • The GDPR adds two further requirements with consent; transparency and internal documentation. This is informed at the time of the purpose for which the data is collected and the legitimate interest which it pertains. This is embodied in our privacy notice.
  • Transparency
    The GDPR focuses on the importance of transparency. Consent must be based on a written explanation couched in clear and plain language in an accessible form.
    This is a list of information which may be included:
  1. Our identity and contact information.
  2. Our Data Protection Officer’s (DPO) contact information.
  3. The purposes and legal basis of the processing.
  4. Details of the legitimate interests (if relied upon).
  5. Recipients of the personal data.
  6. Any intended transfer to a non-EU country and why.
  7. How long the data will be stored.
  8. Your rights.
    1. Ability to withdraw consent.
    2. Right of access.
    3. Right of rectification.
    4. Right to object.
    5. Right to object to direct marketing.
    6. Right not to be subject to automatic processing (Unless necessary to fulfil a contract or required by law).Right to be forgotten without undue delay.
    7. Right to restrict processing, especially where accuracy of data is contested, or no longer needed.
    8. Right of data portability (in a commonly used format).
    9. Right to object to processing for scientific, historical, or statistical processes.
    10. Right to lodge a complaint and who to go to.
    11. Whether provision of data is required.
    What is a SAR?
    A SAR is a request for personal information that the company may hold about a data subject i.e. an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data. Under the GDPR and the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data about them is being processed by the company. If personal information is being processed, they are entitled to access:
  1. the reasons why their data is being processed;
  2. the description of the personal data concerning them;
  3. A copy of all records including e-mails where they are mentioned;
  4. information about anyone who has received or will receive their personal data;
  5. details of the origin of their data if it was not collected from them.
  6. Wheel of Health need to be mindful that the rules on subject access apply to any individual. Wheel of Health are likely to hold and process personal data about its staff; its associates; service users; clients; equipment suppliers, case managers and many others. Each category will have the same access rights.

Key Changes to SARs under GDPR
Under the GDPR, the procedure for making a SAR is similar to the procedure under the DPA. However, there are some key changes to be aware of which:
Fees: Under the DPA, Wheel of Health can charge up to £10 for a SAR. Under the GDPR, a request for personal information is free unless the request is ‘manifestly unfounded or excessive.’ Wheel of Health can charge a ‘reasonable fee’ for multiple requests.
Response time: Under the DPA, we must respond to SARs within 40 days of receipt of the written request. Under the GDPR, we must respond to SARs within one month of receipt. This deadline can be extended by a further two months where there are a number of requests or the request is complex but we must contact the individual within a month of receipt, explaining why the extension is necessary.
  • Provision of Information:
    Individuals can make a SAR electronically. If they do so, the information provided should be in a commonly-used electronic format, unless otherwise requested. But remember Wheel of Health verify the individual’s identity prior to granting access to information. This can sometimes take a little time especially if it is a guardian or someone acting under a power of attorney who are seeking the information about a data subject.
  • In responding to a subject access request, the organisation will need to advise the data subject of:
  1. The purposes of the processing.
  2. the categories of personal data concerned.
  3. who are the recipients to whom we disclose the information.
  4. where possible, how long you will hold onto the information or what categories have been used to decide how long the personal information will be held for.
  5. the right to request rectification, erasure or restriction of the processing.
  6. the right to lodge a complaint to the ICO.
  7. where the personal data are not collected from the data subject, the source from where Wheel of Health obtained the data.
  8. and finally, the existence of any automated decision-making.

Wheel of Health Limited Logo