Diamond is committed to protecting the privacy and security of the Personal Data that we process. This policy sets out the way in which Diamond processes Personal Data in order to ensure that we meet the expectations of our stakeholders and our obligations under the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and associated data protection legislation.
This policy applies to all processing of Personal Data by all persons working for Diamond or on our behalf in any capacity, including Diamond Employees, joint appointees, seconded workers, collaborators, members of our advisory groups/committees, members of our review panels, students, volunteers, interns, agents, contractors (specifically including suppliers and casual and agency staff), external consultants and third-party representatives (“you”).
For the avoidance of doubt, this policy only applies to you insofar as you may be working for or on behalf of Diamond.
This policy does not form part of any Diamond Employee’s contract of employment and may be subject to change at the discretion of Diamond.
Diamond’s Data Protection Officer is responsible for overseeing this policy, monitoring internal compliance, advising on Diamond’s data protection obligations and acting as a point of contact for individuals and the Information Commissioner’s Office (ICO). Please contact the Data Protection Officer, Paul Jeffreys (email@example.com), with any questions about the operation of this policy or data protection legislation or if you have any concerns that this policy is not being or has not been followed.
Diamond’s Directors have overall responsibility for this policy. Any queries or suggestions relating to this policy should be sent to firstname.lastname@example.org.
This policy should be read in conjunction with any privacy notices and records management policies that Diamond may communicate to you.
The processing of Personal Data by or on behalf of Diamond must comply and be in accordance with six principles relating to the processing of Personal Data set out in the GDPR, which require that Personal Data is:
Stricter rules apply to the processing of Special Categories of Personal Data (formerly called Sensitive Personal Data). This is information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
The first data processing principle requires that Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the individual. You may only collect, process and share Personal Data fairly and lawfully and for specified purposes. This is important in order to ensure that we process Personal Data fairly and without adversely affecting the rights of individuals. The GDPR only allows processing for the following specified lawful purposes:
Many of the lawful bases for processing Personal Data require that the processing is “necessary”. This does not mean that the processing must be essential, but it must be a targeted and proportionate way of achieving the purpose. If other less intrusive means can reasonably achieve the purpose, you should use them instead.
Before undertaking any new types of processing of Personal Data, including collecting Personal Data for a new purpose, you must undertake a ‘Data Protection Impact Assessment’. These assessments help us to comply with our data protection obligations and meet the privacy expectations of individuals. Please contact Diamond’s Data Protection Officer to assist with this.
If you still have questions on the processing of Personal Data at Diamond, please contact the Data Protection Officer or another member of the legal team.
The ICO, which is responsible for enforcing compliance with data protection legislation, has published helpful guidance on data protection on its website.
Awareness of this policy forms part of our induction and training process.
Breach of this policy may:
(a) In the case of Diamond Employees, result in disciplinary action up to and including dismissal.
(b) In the case of individuals who are not Diamond Employees, result in termination of any contract that they may have in place with Diamond and/or termination of their access to Diamond.
Given much of the data protection legislation is new and procedures and practices are developing, this policy will be kept under review and may be revised by Diamond from time-to-time as considered appropriate. It will be the most recently published version of this policy that will apply if any issue arises which needs to be addressed under it.
For the purposes of this policy, the following definitions shall apply:
Data Protection Officer: Diamond’s Head of Legal and Corporate Governance.
Data Subject: An individual who is the subject of Personal Data.
Diamond: Diamond Light Source Ltd, a company incorporated and registered in England and Wales, with company number 4375679 and with registered office at Diamond House, Harwell Science & Innovation Campus, Didcot, Oxfordshire, OX11 ODE, United Kingdom.
Diamond Employee: Any person working for Diamond under a contract of employment and any Diamond director or office holder.
Personal Data: Any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Categories of Personal Data and pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.
Process/processing: Any activity that involves the use of Personal Data, including obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Sensitive Personal Data: Special Categories of Personal Data.
Special Categories of Personal Data: Information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
Please click here for a printable version of this document.
Diamond Light Source is the UK's national synchrotron science facility, located at the Harwell Science and Innovation Campus in Oxfordshire.
Copyright © 2022 Diamond Light Source
Diamond Light Source Ltd
Harwell Science & Innovation Campus
Diamond Light Source® and the Diamond logo are registered trademarks of Diamond Light Source Ltd
Registered in England and Wales at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom. Company number: 4375679. VAT number: 287 461 957. Economic Operators Registration and Identification (EORI) number: GB287461957003.