Data Privacy and Processing Policy

LGC Group ISMS 2001 Data Privacy & Processing Policy

26th April 2018

1.1 Purpose

The purpose of this Policy is to ensure that all LGC Personnel – all LGC employees, directors, officers, temporary staff, agency workers, seconded workers, interns and apprentices wherever located and regardless of employment status, are aware of LGC’s obligations and their own responsibilities with regard to the protection of Personal Data held and processed in the course of LGC’s business. It outlines responsibilities with regard to handling and safeguarding Personal Data and it also identifies those who have specific duties in respect of Personal Data and privacy protection. This Policy builds upon the general obligations outlined in the LGC Group Code of Ethics and sits within and references the LGC Group Information Security Management System (“ISMS”).

1.2 Applicability

This policy applies to all LGC employees, directors, officers, temporary staff, agency workers, seconded workers, interns and apprentices wherever located and regardless of employment status (“LGC Personnel”) to the extent that their engagement requires them to process Personal Data.

1.3 Key Definitions

For the purpose of this Data Privacy Policy LGC has adopted the definitions used in the EU General Data Protection Regulation (EU 2016/679) (“GDPR”). For the following terms:

“Personal Data” – or Personally Identifiable Information (“PII”) means any information relating to an identifiable person (a “Data Subject”) who can be directly or indirectly identified in particular by reference to an identifier, such as name, contact details, identification number, location data or online identifier (such as personal or work email);

“Sensitive Personal Data” – means Personal Data that GDPR regulates as “Special Category” data which is Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. [Note: while Special Category Personal Data does not typically include data revealing criminal convictions and offences, similar extra safeguards apply to the processing of such data.]; and

“Processing” – means anything that is done to, or with, Personal Data (including simply collecting, storing or deleting data). Data protection law is likely to apply wherever LGC Personnel does anything that involves or affects Personal Data. In practice this means any Personal Data held in electronic format on an LGC computer, phone or machine, or in a structured paper filing system, falls within the remit of relevant law and policy on processing Personal Data.

1.4 Policy

LGC regards the proper and lawful handling of Personal Data as vital to its successful business operation.

Personal Data may:

relate to customers, employees or any other living individual;
be handled electronically or on paper; or
be processed for LGC’s own purposes or on behalf of a customer, supplier or other entity.

LGC Personnel have a duty to ensure Personal Data is processed lawfully in accordance with the Principles set out in Section 4 of this Policy which require Personal Data to be processed lawfully, transparently, for the purposes(s) for which it was collected, and with appropriate safeguards to protect against unauthorised access, disclosure and inaccuracies.

LGC operates in diverse locations across the globe, where different data protection laws may be in place; LGC will comply with applicable laws in all areas we operate. If Personal Data is required to be transmitted across different jurisdictions this must be done in a manner which complies with all relevant data protection laws. Personal Data of EU Data Subjects will not be transferred outside the European Economic Area unless the required GDPR safeguards are in place.

2.1 LGC Data Protection Lead

The LGC Data Protection Lead in the LGC Legal Team is responsible for monitoring the continued effectiveness of the Group’s data protection compliance programme and for promoting consistent application of the Data Protection Principles (see Section 4 of this Policy) across the Group, by means of appropriate training and awareness mechanisms. These responsibilities also include the provision of advice and guidance to LGC Personnel, oversight of any Data Breaches in accordance with LGC Group Data Breach Policy ISMS 2019 and facilitation and coordination of the exercise of Data Subject rights in accordance with applicable data privacy/protection legislation including liaison with any appointed LGC Data Protection Officer and/or any relevant supervisory authority.

2.2 Line Managers

Line Managers will be accountable for ensuring that all personnel within their area of control are aware of this Policy and applicable Personal Data processing requirements. In particular, they must ensure LGC Personnel for whom they are responsible: (i) are familiar with any Personal Data Processing procedures and safeguards in place and; (ii) undertake mandatory and relevant enhanced training on the handling of Personal Data that may be required.

2.3 LGC Personnel

All LGC Personnel should be aware of their own responsibilities to preserve the privacy of Personal Data and to process that data in accordance with the Data Protection Principles (see Section 4 of this Policy), whether the data relates to colleagues, customers, suppliers or others. LGC Personnel should be aware that it is their use of Personal Data which will either comply with or be in breach of the terms of the applicable data protection legislation. LGC Personnel are accountable for their actions and are expected to seek necessary guidance to confirm appropriate processing of Personal Data from their Line Manager, local Data Privacy Network Member, LGC Legal Team Data Protection Lead and any appointed Data Protection Officer. Further guidance and contact detail are available on the Data Protection / Data Privacy pages of the LGC Group Intranet. Should LGC Personnel become aware of any potential issue in respect to the processing of Personal Data they must raise this matter with their line manager or the Data Protection Lead in accordance with the LGC Group Data Breach Policy (ISMS 2019).

2.4 Security of Personal Data

All Personal Data must be handled and stored securely following the guidance given in the Group Information Security Management System (ISMS) including – the Acceptable Use of IT Policy (ISMS 2010) and Clear Desk & Screen Policy (ISMS 2017). Where Personal Data is taken offsite, the guidance given in the Informal Communications Policy (ISMS 2018) must be followed.

2.5 Data Breaches & Unauthorised Processing

LGC Personnel are required to act in accordance with the LGC Group Data Breach Policy (ISMS 2019) and report any actual or suspected breach relating to Personal Data processed on behalf of LGC. Notification to the Data Subject or a relevant supervisory authority may be required under applicable law, so it is important to follow the requirements of all LGC ISMS Policies; which requires a report to be made using the LGC Security Incident Report mechanism which will, in turn, ensure notification to the LGC Data Protection Lead and others.

2.6 Information Handling within the LGC Group

To ensure Personal Data is handled lawfully and processed as required within the LGC Group of companies, LGC has put in place a Group-wide Data Transfer and Processing Agreement to ensure appropriate legal, technical and organisation measures are in place within each LGC Group company wherever this is located. Care should still be taken to observe the Data Protection Principles in Section 4 whenever Personal Data is processed. LGC Group companies are registered with applicable Data Protection supervisory authorities, such as the UK Information Commissioner’s Office (ICO).

2.7 Personal Data Transfers & Third Party Processors

Where LGC seeks to transfer Personal Data to third parties (such as service providers, business partners or even public bodies) LGC shall ensure such transfer and any processing to be carried out in relation to Personal Data on its behalf LGC is done lawfully and in accordance with this Policy and in compliance with the applicable Data Protection/Data Privacy law and regulation.

As such third party Data Processors or Data Controllers appointed by LGC shall:

be selected only after having provided sufficient guarantee in respect of the technical and organisational security measures governing the processing of Personal Data to be carried out and having given clear undertakings as to the lawful purpose of such processing;
be subject to assurance and review to ensure they comply with these measures;
enter into appropriate legal agreements with LGC requiring them to comply with obligations equivalent to those imposed on LGC by law. All such agreements with relevant third parties shall be in LGC standard form or shall otherwise be subject to review by the LGC Legal Team to ensure they meet applicable legal requirements; and must meet LGC requirements under applicable protection legislation; and
promptly notify LGC of any breach or suspected breach, cooperate with LGC in making any further notifications required by law; and permit LGC to inspect and audit relevant processes and controls applied in relation to LGC Personal Data. LGC shall act in accordance with applicable requirements of the Data Breach Policy LGC Group Data Breach Policy (ISMS 2019) with regard to any actual or suspected data breach involving Personal Data.

2.8 Data Subject Rights under applicable laws

Under the EU GDPR and other local laws, individual Data Subjects may be afforded certain rights in connection with the processing of their Personal Data. It is LGC’s Policy to ensure that Data Subjects are able to exercise rights in an efficient manner. Any Data Subject wishing to exercise such rights is requested to contact LGC using the email address: dataprotection@lgcgroup.com

Data Subject rights in relation to Personal Data are subject to important time limits, exceptions and exemptions, and include:

the right to be informed of the purpose for which their Personal Data is collected;
the right of access to the Personal Data;
the right to rectification of errors in Personal Data;
the right to erasure of Personal Data (subject to exceptions);
the right to restrict processing;
the right to data portability;
the right to object certain otherwise lawful forms of processing; and
rights in relation to automated decision making and profiling based on their Personal Data.

To ensure that LGC is able to comply with applicable law in relation to the exercise of such rights, any LGC Personnel who become aware that an individual may be seeking to exercise any such right should immediately contact the LGC Data Protection Lead using the email address: dataprotection@lgcgroup.com so that the request can be verified and actioned as required.

LGC may, on occasion, receive official requests for information from public authorities or from individuals exercising rights under Freedom of Information laws and regulations. To ensure that Data Subject privacy rights are not compromised and that LGC complies with any lawful commercial confidentiality undertakings it has entered into, such requests should be directed to the LGC Legal Team or, if appropriate, to the external party who is the Data Controller – such as a relevant public authority in relation to such request. For more guidance on handling Freedom of Information requests, please contact the LGC Legal Team.

3. Distribution

A copy of this Policy shall be made available to all current LGC Personnel and other relevant parties as required.

4. Data Processing Principles

In complying with this Policy, LGC and LGC Personnel shall comply with the following data protection principles:

Fairness, Lawfulness and Transparency Principles – Personal Data shall be processed by LGC lawfully, fairly and in a transparent manner in relation to individuals; LGC shall provide appropriate mechanisms to enable Data Subjects to exercise applicable rights in relation to their Personal Data;
Purpose Principle – Personal Data shall be collected for specified, explicit and legitimate purposes and shall not be processed in a manner that is incompatible with those purposes (NB – processing for archiving purposes in the public interest, for scientific or historical research purposes, or statistical purposes shall generally be considered compatible with the initial collection purpose);
Adequacy Principle – Personal Data collected and processed shall be, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Accuracy Principle – Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Data Retention Principle – Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which data are Processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of individuals;
Security Principle – Personal Data shall be processed in a manner that ensures appropriate security of Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and
Accountability Principle – LGC shall be responsible for being able to demonstrate, compliance with these principles