GDPR Statement

Updated 21/03/2018

We are aware of the expectations and obligations set out in the General Data Protection Regulation (GDPR) being implemented on 25th May 2018, and as a result we have a dedicated team and an external consultant working on ensuring that we absolutely meet all of these.

Much of the regulation is based on the existing Data Protection Act, with additions to certain areas such as data subject rights, accountability, and the specific obligations of controllers and processors. We have taken the opportunity to review and amend where required our existing internal processes, including policies, documentation for Policyholders and corporate customers, and working practices, along with communications with our own suppliers and partner organisations.

With the many different strands included in the GDPR, from security, retention, privacy notes and marketing, there are naturally elements currently being worked on, and as part of our commitment to delivering absolute transparency, we shall keep you informed of all and any changes we’ve made in due course.

Our ultimate objective has, and always will be, to ensure that your data (whether belonging to you, a family member, or an employee) remains secure, in the very safest of hands, and protected, and rest assured that we will continue to operate in accordance with the Data Protection Act and, as of 25th May, GDPR.

If you have any queries or specific questions you’d like to ask, please do get in touch with us via GDPRteam@paycare.org

Kind Regards,


Kevin Rogers

CEO

Frequently Asked Questions


What is the General Data Protection Regulation?

The General Data Protection Regulation (or GDPR for short) is the biggest change to UK data privacy law in 20 years. As part of GDPR all companies have to review how they manage all personal data, whether it be customer email addresses, bank details or medical history. But don’t worry, it’s a really positive step towards you having more control over how your data is used and how you’re contacted by companies like Paycare.

How will the changes affect your Paycare policy?

The changes will help us to better protect your data. You’ll have greater visibility of the data we hold on you as a Paycare Policyholder too, whether it’s something as simple as your name and telephone number, or something as complex and sensitive as your medical information. This means you can have greater confidence that information about you is accurate, up-to-date and properly managed.

(Please see below for changes that affect your organisation, as a corporate customer)

How is Paycare complying with the GDPR principles?

Here at Paycare we continue to take the security of our customer’s data extremely seriously, and we welcome the changes needed as a result of these new regulations. You’ll be pleased to know that we have set up a dedicated team to support the changes we need to make as an organisation, and we are taking the time to review all of our policies and procedures to ensure they comply with the new regulations.

What are the key principles of GDPR?

Processing data fairly, lawfully and transparently
This fits very well with the culture of Paycare so it’s something we do naturally. Expect to see over the coming weeks an updated privacy notice, giving you even more information about what and how we do things with your personal data.

Data Purpose Limitations
We’re clear from the outset why we have your personal data, it’s to administer your policy with us, deal with claims you may have, keep you updated with changes, things that may affect your policy, because it’s a contractual obligation.

Data Minimisation
We’ll never ask you for (nor do we want) any of your personal data that isn’t relevant to the purposes mentioned above. If you’re unsure why we’re asking for something, feel free to ask us why.

Accuracy
To the best of our ability we aim to ensure that any personal data we hold is accurate, up to data and correct.  We need your help with this, if you don’t tell us something has changed we won’t know, please keep us informed.

Storage Limitations
We have statutory and contractual obligations which we need to meet. Once those have been met there has to be a very good reason why we’d retain records after that time.

Integrity and Confidentiality
We take data security very seriously and have appropriate controls in place to ensure that personal data we hold is secure and only accessed by those that need it to fulfil their role. This includes ensuring that the Paycare Team are trained to be vigilant with regards to data security.

Accountability
We take steps to ensure that all Paycare staff are aware of their responsibilities regarding Data Protection, including ongoing training on GDPR. As well as this, we have put new measures in place to ensure that we document all decision processes that affect the retention, processing, storage and disposal of all data. One method of doing this is using Privacy Impact Assessments – see below for more information.

Where is Paycare’s data stored?

Our data is stored in the UK with measures in place to ensure data integrity and security.

Working with Paycare


How will the changes affect your organisation as a corporate customer?

The changes will help us to better protect your data, and your employee’s data, and you’ll have greater visibility of the data we hold on you as an organisation.

Your employees, our policyholders, will have greater visibility of their data too, whether it’s something as simple as their name and telephone number, or something as complex and sensitive as medical information.
This means you can have greater confidence that information about you is accurate, up-to-date and properly managed.

Is Paycare a data processor or a data controller?

We are the Data Controller as we determine the purposes for which, and the way that, any personal data are, or are to be, processed.

Does Paycare perform Privacy Impact Assessments? (PIAs)

Security and privacy are a core priority at Paycare. We undertake risk assessments to our information to ensure we have appropriate controls in place to mitigate any risks highlighted. As part of this risk assessment process we will be carrying out Privacy Impact Assessments to help us get even better at protecting privacy.

How does Paycare ensure it meets the Privacy by Design requirements?

At the core of what and how we do things is our customers and in turn their privacy, we’ll continue to have a privacy by design approach by utilising Privacy Impact Assessments.

How does Paycare handle Subject Access Requests (SAR)?

Paycare has an existing Subject Access Request Process but we will be taking the opportunity to make sure this meets the requirements of the new Regulation in due course.

How does Paycare process Data Portability requests?  

Data portability refers to the ability to move, copy or transfer data easily from one database, storage or IT environment to another. As this is something new, we are looking at ways to help you with this.

What would Paycare do in the unlikely event of a data breach?

With measures already in place, and the changes we are making ahead of the 25th May, we believe we won’t have any breaches of data. We haven’t had any to date. In the unlikely event that a breach does arise, rest assured we will follow our breach notification process and meet the obligations set out in the Regulation.

Should a breach occur an it places any personal identifiable data or any personal sensitive data at risk in any way, then the breach, will be reported to the Information Commissioner’s Office (ICO) within 72 hours.

If you have any queries or specific questions you’d like to ask, please do get in touch with us via GDPRteam@paycare.org