Policy paper

Great British Nuclear data protection policy

Published 13 March 2024

1. Purpose

This policy defines the data protection responsibilities of the Great British Nuclear (GBN) and its employees, contractors and consultants and ensures that all are aware, not only of the requirements of data protection legislation on GBN, but also their individual responsibilities in this respect.

2. Scope

This policy applies to all GBN employees, contractors and consultants.

3. Policy details

3.1. General

The General Data Protection Regulations (GDPR) provide individuals with rights in relation to personal data held/processed by organisations. The GDPR also place obligations on organisations to have appropriate technical and organisational measures in place to ensure the integrity and confidentiality of personal information held/processed.

GBN has a statutory obligation as a Data Controller/Processor to be responsible for and be able to demonstrate compliance with the legislation. All staff can obtain full details of the GBN’s processing from the intranet and externally through the website.

3.2. Responsibilities

The GBN Data Protection Officer (DPO) is responsible for ensuring that statutory and regulatory obligations with respect to the GDPR are adhered to and for the provision of training, guidance and advice to ensure policy compliance by all GBN employees, consultants and contractors. They are also the individual to whom all subject access requests and queries concerning personal data should be addressed.

GBN Directors, Departmental and Functional Heads are responsible for the promulgation of this policy and any associated guidance within their own business unit.

GBN permanent and temporary employees, contractors and consultants are responsible for incorporating this policy and its associated documents into their own working practices.

3.3. GDPR Principles

The GDPR provides that six principles be adhered to in the processing of personal data. This is achieved by GBN implementing appropriate rules and procedures. All GBN employees, contractors and consultants are therefore responsible for ensuring that these rules and procedures are followed. The objectives of the rules and procedures are to ensure that the six principles will be complied with, and that all personal data is:

• processed lawfully and fairly and in a transparent manner
• collected for specified, explicit legitimate purposes and not further processed in a manner incompatible with those purposes
• adequate, relevant and limited to what is necessary in relation to the purposes
• accurate and where necessary kept up-to-date
• kept in a form which permits identification for no longer than is necessary for the specified purpose
• kept secure subject to appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction

Under the terms of the GDPR, processing of data includes any activity to do with the data involved. All employees or other individuals who have access to, or who utilise, personal data, have a responsibility to exercise care in the treatment of that data and to ensure that such information is not disclosed to any unauthorised third party.

Additionally, in order to comply with the first principle, at least one of the following conditions must also be met:

• the subject has given his/her explicit consent to the processing (such consent must be recorded)
• the processing is necessary for the performance of a contract with the subject
• processing is required under a legal obligation
• processing is necessary to protect the vital interests (essential for the life) of the subject or another person
• processing is necessary for the performance of a task carried out in the public interest
• processing is necessary to pursue the legitimate interests of the Data Controller or third parties (unless it could prejudice the interests of the subject or would constitute processing carried out by a public authority in the performance of their tasks)

3.4. Special category (sensitive) data

Explicit consent of the individual will usually have to be obtained before the data is processed unless the data controller can prove the processing is based on one of the following criteria.

• compliance with employment law and obligations
• to protect vital interests (essential for the life) of the data subject
• the data subject has deliberately made the information public
• to comply with legal obligations (establishing or defending legal rights)
• processing is necessary for the establishment, exercise or defence of legal claims
• processing is necessary for reasons of substantial public interest
• occupational medicine, provision of heath or social care or treatment
• public health
• scientific or historical research or statistical purposes

3.5. Data subject access rights

Data subjects have the right to access personal data that GBN holds about them. Such a request is called a subject access request, and the Subject Access Request Procedure includes the details of the process that has to be followed.

GBN may also receive request from a data subject to erase personal data, rectify inaccurate data, restrict/cease or not begin processing personal data. All such requests or notices must be referred to the DPO and responded to either by agreeing to comply with the request, or giving the reasons why the request is regarded as unjustified, either wholly or in part.

3.6. Data Privacy Impact Assessments

Data Privacy Impact Assessments (DPIAs) are a tool that is used to identify and reduce the privacy risks of projects. A DPIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data.

A DPIA will be carried out whenever a “new” project/process involving the use of personal information is being considered/initiated, especially if this involves the use of technology or third-party processors.

Signed by:

Peter Welch
Corporate Services Director