GDPR (General Data Protection Regulation)
General Data Protection Regulation (GDPR) came into force on May 25, 2018, and was designed to modernise laws that protect the personal information of individuals. It provides greater transparency over where personal data is saved and used.We have determined that the following lawful bases are applicable for the processing of personal data i.e. :
(iii) Legal Obligation.
(iv) Legitimate Interests.
The Information Commissioner's Office oversees the GDPR in the UK.
There are 6 legal bases for processing personal data (Consent, Legitimate Interest, Contract, Vital Interest, Legal Obligation, Public Interest). The full legal definitions of these can be seen on the ICO website.
Data stored by Building Control Surveyors Ltd (BCS) for building control applications will fall under Contractual obligations (which includes additional requirements by the CICAIR to keep records for 15 years).
There maybe occasions where photographic imaging both motion video including 3D (3 Dimensional Video & Audio Captures) are used by our site inspectors. Images captured during our visits are only used for building control quality control and training purposes. Any images captured by our attending surveyors using body worn cameras shall not be released since they may contain security or privacy restricted information. In all other respects our full written records will be released in accordance with the Building Control Performance Standards, where they are not subject to the Data Protection Act.
You should also note that plans including calculations held on our systems may in themselves be copyright protected and therefore we are bound by law not to re-distribute, transmit or to publish them without the consent of the original authors of that piece of work.
Building Control Surveyors Ltd (BCS) policy and implementation of GDPR
BCS has implemented a GDPR policy which includes staff training for GDPR for the management and secure storage of information.
BCS has also undertaken a Risk Management & Governance ‘GDPR Health Check’.
Nine domain areas were assessed :
Governance, Awareness, Policies and Procedures, Data Subject Management, Third Parties, Risk Management, Security, Incident Management, and Compliance.
Following this, a nominated ‘Information Security Officer’ has been appointed to develop policy and a ‘Data Protection Officer’ to implement it.
Retrieval of information: a process has been implemented which requires written verification by the requestor before any personal information is released, in accordance with the Data Protection Act and the GDPR.
Breach of GDPR: In the event of a serious breach, BCS will inform the ICO within 72 hours (providing the name and contact details of the Data Protection Officer, a description of the likely consequences of the breach and a description of the measures proposed to deal with it). Where there is a high risk to the rights of any individual both the ICO and the individual will be informed immediately.
Further information regarding BCS’s GDPR policy can be obtained by emailing stating your request for specific information and your association to a particular project.
Information Commissioner’s Office (ICO):
Data Protection Network (DPN):