Privacy Policy

Statement

PHL Synaptik is committed to safeguarding your personal information. Whenever you provide such information, we are legally obliged to use your information in
line with all laws concerning the protection of personal information, including General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018.

Scope

This policy applies to all personal data handled by PHL Synaptik.

Data Protection Principles

PHL Synaptik shall adhere to the data protection principles set out in GDPR
(Article 5). The six principles state that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and
organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful
processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and
confidentiality’).

Definitions

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly or to one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
‘special categories of personal data’ refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
• ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a function or geographical basis
‘controller’ means the natural or legal person, public authority, agency or other body which, along or jointly with others, determines the purposes and means of the processing of personal data
‘processor’ means a natural or legal person, public authority, agency or other body which processes data on behalf of the controller
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

Subject Access Requests

Under the GDPR, individuals have the right to obtain confirmation that their data is being processed and, where that is the case, access to the personal data. As such, PHL Synaptik have implemented a process through which any individuals can make a request to access their personal data and details of the purposes of processing. This type of request allows the individual to verify the lawfulness of the processing and exercise rights of rectification and objection.

To make a request, an email should be sent to datarequests@synaptik.co.uk. In accordance with GDPR, PHL Synaptik will respond to the query as quickly as

possible and will provide the individual with the requested information within one month. This shall be provided free of charge unless reason is found that the request is manifestly unfounded or excessive.

The response will be provided in a standardised electronic format and include a copy of all personal data requested, the purposes for processing, details of any recipient to whom personal data may have been disclosed and the envisaged period for which the personal data will be stored.

Individual Data Rights

GDPR provides the following rights for individuals:

Right to rectification
- The right to have inaccurate personal data rectified or to have incomplete personal data completed, depending on the purposes of the processing.
- A request to exercise this right can be made verbally or in writing and must be responded to within one month.
Right to erasure
- The right to have personal data concerning them removed if:
  - The personal data is no longer necessary in relation to the purposes for which it was collected or processed
  - The individual wishes to withdraw consent and there is no other legal ground for the processing
  - The personal data has been unlawfully processed
Right to restriction of processing
- The right to have processing restricted if the accuracy of personal data or legality of processing is contested by the individual. Processing can also be restricted if the data controller no longer requires the personal data but the individual requires it kept to establish, exercise or defend a legal claim.
Right to data portability
- The right to receive personal data in a structured, commonly used and machine readable form
Right to object
- The right to object to processing including direct marketing. If
  the individual objects to processing then grounds relating to their particular situation must be provided except in the case of processing personal data for direct marketing which must be stopped as soon as an objection is received.

Any requests to exercise these rights should be directed to datarequests@synaptik.co.uk.

Information Held

PHL Synaptik may store the following personal information:

Full name 1, 6, 8
Home address 3
Telephone number(s) 10
Email address(es) 10
Place(s) of employment (incl. address)
Job title/position 2
Professional qualifications/specialties 2
CV and references 2
Regulation body (e.g. GMC, NMC) registration number, renewal date and revalidation date 1
Medical indemnity arrangements (organisation & ID number) 1
Disclosure registrations number(s) 1
PACS ID 1
Photo for Synaptik ID 9
Copy of photographic ID 1, 4
Copies of certificates
- Indemnity insurance 1
- Disclosure (PVG) 1
- Immunisation certificate 1
- Revalidation certificate 1
Bank details for BACS payment 3
NI Number 6
Unique Taxpayer Reference number 6
Date of birth & Gender 6
Companies House Registration (if applicable) 6
Details of work performed on behalf of Synaptik 3, 5, 6, 7
Details of expenses claimed whilst performing work on behalf of Synaptik 3, 6, 7
Synaptik events attended 3, 6, 7

Information above will only be stored when required with reference to the
personal data uses listed below.

Personal Data Uses
Personal information may be used in a number of ways including:

Confirmation of eligibility for work
Suitability for prospective position
Invoicing/Payment
Identification
Confirmation of completion of work
Required for HMRC Employment Intermediaries Report (if relating to a payment)
Financial history and statistical analysis
Reservations (Accommodation/Transport)
ID card for use on site
Contact/Communication

In the event of previously collected data being required for a use not currently listed above, Synaptik will contact the individual to confirm this change.

Deletion Policy
Any information mentioned above will either be fully anonymised or deleted from all Synaptik systems (digital or physical) after a reasonable period of
time without usage. This shall take into consideration the period for which Synaptik is legally obliged to store certain information. This does not effect the individual data rights listed above.

Sharing
Personal data will only be shared in the following situations:

with clients to whom the individual has consented to provide or offer
services.
for reasons of legal obligation (e.g. HMRC reporting)
names may be shared for the purposes of accommodation and
transport reservations

Shared information will never include bank details. Copies of certificates listed above will not be shared without seeking further consent, though confirmation that certificate is held on file may be.

Complaints
If at any time you are unhappy with the way in which Synaptik uses personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Further details are available via their website at https://ico.org.uk/make-a-complaint/ or alternatively by phoning them on 0303 123 1113