Protocol for Processing Special Category Data
Flogas, its subsidiaries and all the companies in the Flogas Group are firmly committed to complying with our data protection obligations. In this context, and to achieve consistency and excellence of service, we believe that it is important to set out a protocol which must be followed when processing Special Category Data.
The relevant Data Protection Acts (the Acts) and the General Data Protection Regulations (GDPR) impose obligations on us, as a Data Controller, to process personal data in a manner that respects the rights of data subjects to have their data processed fairly. In particular, we are under a specific obligation to take appropriate measures to protect the security of such data (Section 2(1)(d) of the Acts).
For Special Category (SC) Data, there is even more emphasis on having greater security and controls over processing this type of personal data under Article 9 of the GDPR, in particular 9(2)(a) and 9(2)(c).
1. Description of data processed
We process SC data for our vulnerable customers. We need to record medical details of those who have health issues and energy availability is essential.
2. Schedule 1 condition for processing
Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject and Article 9(2)(a) – explicit consent.
3. Procedures for ensuring compliance with the principles
- Accountability principle
- We have numerous data protection policies in place that are followed.
- Any changes that affect personal data or any new projects coming on board will all be subject to DPIA’s.
- We have DPA’s in place with all 3rd parties who process data on our behalf.
- We have a designated Data Protection Manager to ensure all policies and procedures are in place and followed.
Principle (a): lawfulness, fairness and transparency
- Our lawful basis for processing personal data is for the performance of a contract however for SC data we process under Article 9(2)(c) and9(2)(a)
- For medical data that we collect on our vulnerable customers, they must complete a vulnerable customer form that is submitted to Networks and clearly states what we collect this data for.
Principle (b): purpose limitation
- Processing medical SC data is for the performance of a contract and for the vital interests of the data subjects so that their energy is never disconnected during winter months October to March.
- All data collected is collected for a specific purpose. If this data is to be used for a new purpose other than the original, this will be communicated to the data subject.
Principle (c): data minimisation
- Only medical data that is required to register the customer on the special services register or priority support register.
Principle (d): accuracy
- All completed agreement forms and vulnerable forms are checked to ensure the accuracy of the data before it is submitted to Networks.
- Confirmation of the customer’s registration on the register(s) will be issued by letter to the customer. This letter will ask them to check the details carefully and if any of the details are incorrect or change in future then to let us know.
Principle (e): storage limitation
- All data is retained according to our retention policy.
Principle (f): integrity and confidentiality (security)
- All users have their own log on and passwords for the system where the SC data is stored. Passwords are updated regularly.
- IT would regularly review our security policies and procedures to ensure there are no issues.
4. Retention and erasure policies
As per retention policy.
5. APD review date
This policy is reviewed annually to ensure the content is still relevant.