Guidelines on Data Protection. Draft. Version 3.1. Published by

Size: px
Start display at page:

Download "Guidelines on Data Protection. Draft. Version 3.1. Published by"

Transcription

1 Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013

2 Table of Contents Section One Preamble Authority Scope Application Purpose Definition of Terms... 4 Section Two Guidelines for Data Collection Guidelines for Data Processing Guidelines for Data Access Guidelines for Data Security Officers Section Three Data Protection Guidelines Principles Principle Principle Principle Principle Principle Principle Principle Principle Page 1

3 Section One 1.1 Preamble The National Information Technology Development Agency (NITDA) is mandated by the NITDA Act of 2007 to develop Information Technology in Nigeria through regulatory policies, guidelines, standards, and incentives. Part of that mandate is to ensure the safety and protection of the Nigerian Citizen s personal identifiable information otherwise known as personal data, object identifiable information and a successful implementation of guidelines on data protection. Many establishments have migrated their businesses to the online environment. Information solutions in both the private and public sectors now drive service delivery in the country. These information systems have thus become critical information infrastructure which must be safeguarded, regulated and protected. This document provides government wide Guidelines on Data Protection. 1.2 Authority National Guidelines on Data Protection are issued by the National Information Technology Development Agency (NITDA) in accordance with NITDA Act They are specifically issued pursuant to sections 6, 17 and 18 of the National Information Technology Development Agency Act 2007 and is subject to periodic review by NITDA. A breach of the Guidelines shall be deemed to be a breach of the Act. These guidelines are mandatory for Federal, State and Local Government Agencies and institutions as well as private sector organizations which own, use or deploy information systems of the Federal Republic of Nigeria. They serve as reference for Data Collectors, Data Custodians, Data Processors, Data Systems Auditors Data Controllers and Security Personnel, among others. Additional data protection and security guidelines may be developed and used at organization discretion in accordance with these guidelines. Page 2

4 1.3 Scope 1. These Guidelines cover the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system. 2. These Guidelines does not cover the processing of personal data processing operations concerning public security, defense, national security and the activities of the nation in areas of criminal law. 3. These Guidelines covers data controller or processor (organization) or the data subject (person) operating within Nigeria and the Guidelines also covers organizations based outside Nigeria if they process personal data of Nigeria residents. 1.4 Application The Data Protection Guidelines contained herein shall apply to all data controller in public and private sector as defined in these guidelines. 1.5 Purpose The purpose of this document is to: 1. Prescribe guidelines for all organizations or persons that control, collect, store and process personal data of Nigeria residents within and outside Nigeria for protecting of a specific category of data commonly known as Personal Data or Object Identifiable Information (OII). 2. Prescribes minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for information in this category. Page 3

5 1.6 Definition of Terms Data Protection Guidelines - Data Protection Guidelines is the guidelines on the processing of information relating to identifiable individual s Personal Data, including the obtaining, holding, use or disclosure of such information to protecte such information from inappropriate access, use, and disclosure. Personal Data- Personal data is any information relating to an identified or identifiable natural person ("data subject"); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an address, bank details, posts on social networking websites, medical information, or a computer s IP address. Data Subject- OII- DPG- Processing of Personal Data- An identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Object Identifiable Information Data Protection Guidelines Processing of personal data shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or Page 4

6 alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Data Controller- Data Controller shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. Data Custodian- Data Custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees and implementing and administering controls over the information. Data Processor- Personal Data Filing System- Data Processor shall mean natural or legal person, public authority, agency, organizations or any other body involved in processing of personal data or processes personal data on behalf of a controller. Personal data filing system shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed. Page 5

7 Third Party- Third Party shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process personal data. Recipient- The Data Subject's Consent- Recipient shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not. The Data Subject's Consent shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. Data subject access request- The mechanism for an individual to request a copy of their data under a formal process and payment of a fee Sensitive personal data- Data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal record. Data Portability- Data Portability shall mean a data subject s ability to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system Page 6

8 Section Two 2.1 Guidelines for Data Collection 1. Data Controllers shall protect the privacy of natural persons with respect to the processing of personal data in accordance with the prescription of these guidelines and the provisions and prescriptions of Section 5; Part 1 and Part 2 of National Information Systems and Network Security Standards and Guidelines. 2. The collection of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life should not be undertaken except:- a. the data subject has given his explicit consent to the collection and processing of those data; or b. collection and processing is necessary for the purposes of carrying out the obligations and specific function of the controller in the field of employment; or c. collection and processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or d. collection and processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or e. the collection and processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defense of legal claims. Page 7

9 3. Where the data have not been obtained from the data subject, controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it: a. the identity of the controller and of the representative, if any, b. the purposes of the processing, c. any further information such as: i ii the categories of data concerned the recipients or categories of recipients; iii the existence of the mechanism for access to and the mechanism to rectify the data concerning the data subject 4. The transfer to another country of personal data which are undergoing processing or are intended for processing after transfer shall take place only if, without prejudice to compliance with the provisions of these guidelines pursuant to the provisions and prescription of Section 3; Part 1 and Part 2 of National Information Systems and Network Security Standards and Guidelines, the country in question ensures an adequate level of protection. 5. Controllers shall bring into force the directives and administrative provisions necessary to comply with these guidelines at the latest by the end of a period of twelve months from the date of its adoption and ensure that processing already under way on the date the national provisions pursuant to these guidelines enter into force, is brought into conformity with these provisions within twelve months of this date. 6. In order to ensure that people in Nigeria understand and have confidence in the proper use and safety of personal information, organizations shall implement effective privacy policies and procedures and shall state those privacy policies both online and offline. Page 8

10 2.2 Guidelines for Data Processing 1. Personal data must be processed fairly and lawfully; a. collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that safeguards are in place and in compliance with the provisions of this document. b. adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. c. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; d. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. 2. Personal data may be processed only if: a. the data subject has unambiguously given his consent, or b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or c. processing is necessary for compliance with a legal obligation to which the controller is subject, or d. processing is necessary in order to protect the vital interests of the data subject, or e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed, or Page 9

11 f. processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy. g. processing of data is related to offences, criminal convictions and a complete register of criminal convictions may be kept only under the control of official authority. h. data relating to administrative sanctions or judgments in civil cases shall also be processed under the control of official authority. i. processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or privacy of the data subject which require protection under paragraph 1 of this section. 3. Every data subject shall be able to obtain from the controller without constraint at reasonable intervals and without excessive delay or expense:- a. confirmation as to whether or not data relating to data subject are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed; b. communication to data subject in an intelligible form of the data undergoing processing and of any available information as to their source; c. knowledge of the logic involved in any automatic processing of data concerning data subject at least in the case of the automated decisions. Page 10

12 d. rectification, erasure or blocking of data which does not comply with the provisions of these guidelines, in particular because of the incomplete or inaccurate nature of the data; e. notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with these guidelines. 4. The controller shall implement technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art systems and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected with secure connection and encryption as minimum. 5. The carrying out of processing by way of a processor must be governed by a contract or legal agreement binding the processor to the controller and stipulating in particular that: a. the processor shall act only on instructions from the controller; b. the obligations set out in paragraph 4 shall also be incumbent on the processor. 6. For the purposes of keeping proof, the parts of the contract or the legal agreement relating to data protection and the requirements relating to the measures referred to in paragraph 4 shall be in writing. 7. The data subject shall have the option to:- a. object to request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or b. to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the Page 11

13 mechanism for objection free of charge to such disclosures or uses. c. controllers shall provide information clearly; to ensure that data subjects are aware of the existence of the option referred to in a above. 8. Any person acting under the authority of the controller or of the processor, including the processor, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law. 9. The controller shall, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. 2.3 Guidelines for Data Access 1. Data Controllers shall neither restrict nor hinder the free flow of personal data between authorized third parties. 2. A user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system. 3. Controller or the representative must provide a data subject from whom data are collected with at least the following information, except where such person already has it: a. the identity of the controller and of the representative, if any, b. the purposes of the processing for which the data are intended, c. any further information such as: i the recipients or categories of recipients of the data; Page 12

14 ii whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply; iii the existence of the mechanism for access to and the mechanism to rectify the data concerning him insofar as such further information is necessary, having regard to the specific circumstances in which the data are collected, to ensure fair processing in respect of the data subject. 4. The adequacy of the level of protection afforded by another country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the rules of law, both general and sectorial, in force in the receiving country in question and the professional rules and security measures which are complied with in that country which shall not be lower than the content of the guidelines contained herein this document. 5. Where the controller finds that any country does not ensure an adequate level of protection within the contents of these guidelines, controller shall prevent any transfer of data to the country in question. 6. Any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions pursuant to these guidelines is entitled to receive compensation from the controller for the damage suffered. 2.4 Guidelines for Data Security Officers 1. Each organization shall designate an employee of that organization as the organization s Data Security Officer whose duty shall include: i. Ensuring that organization adhered to the stated policies. Page 13

15 ii. iii. Ensuring continued adherence to data protection and privacy policies and procedures. Ensuring that individual data is protected; and provide for effective oversight of the collection and use of individual information. iv. Be responsible for effective data protection and management within that organization; and ensure compliance with the privacy and data security policies. v. Training and education for employees to promote awareness of and compliance with the privacy and data security policies vi. Developing recommended practices and procedures to ensure compliance with the privacy and data security policies. 2. Not later than 12 months after the date of adoption of these guidelines, each organization shall conduct a detailed benchmark assessment of the privacy and data protection policies and practices of that organization with regard to the collection, use, sharing, disclosure, transfer, and security of personally identifiable information relating to the organization employees and the public. At a minimum, each benchmark assessment shall determine and state: i. the personally identifiable information the organization collects on employees of the organization; and members of the public; ii. any purpose for which the personally identifiable information is collected; iii. iv. any notice given to individuals regarding the collection and use of personal information, relating to that individual; any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual; Page 14

16 v. whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent; vi. vii. viii. ix. the policies and practices of the organization for the security of personally identifiable information; the policies and practices of the organization for the proper use of personally identifiable information; the training and education procedures of the organization to adequately train personnel; organization policies and procedures for privacy and data protection; x. the policies and procedures of the organization for monitoring and reporting violations of privacy and data protection policies; and xi. the policies and procedures of the organization for assessing the impact of technologies on the stated privacy and security policies. Page 15

17 Section Three 3.1 Data Protection Guidelines Principles Data Protection Guidelines consists of eight principles which are guidelines for best practice in handling personal data: Principle 1 Personal data must be processed fairly and lawfully Tell people for which purposes the data is being collected, and if applicable, that the data may be sent outside of Nigeria. Recorded telephone messages are useful tools for enabling these types of message, and can be optional (for example, press 1 to hear the Data Protection message). Notices should be prominent where CCTV is used as these images are covered by the Data Protection guidelines and would be in scope for data subject access requests if the images are not overwritten within 30 days Principle 2 Personal data shall only be used in accordance with the purposes for which it was collected Ensure data collected for one purpose is not then used for a different purpose. This can be covered off by including all likely purposes in the Data Protection fair processing message. The purposes for collecting the data must be reasonable and obviously lawful. Page 16

18 3.1.3 Principle 3 Personal data must be adequate, relevant and not excessive Do not collect data just in case it might be useful Principle 4 Personal data must be accurate and where necessary kept up to date Allow individuals the ability to update their data or to have it updated. This includes marketing communications. It is common practice nowadays for organizations to provide an opt-in approach to marketing ( tick here if you wish to be contacted for marketing purposes ), and to enable the updating of personal data online Principle 5 Personal data must be kept for no longer than is necessary Develop a retention policy for personal data and ensure it is enforced Principle 6 Personal data must be processed in accordance with the rights of data subjects Ensure any requests from individuals for a copy of their data are responded to promptly and the data is provided within 7 days. Establish whether or not you require a fee to be paid, and how it should be paid. Provide opt-in tick boxes for marketing communications and ensure this is accurately captured in systems. Many complaints rightly arise from people receiving marketing s or calls when they have not requested them. Page 17

19 3.1.7 Principle 7 Appropriate technical and organizational measures must be established to protect the data To protect systems from hackers, set up firewalls at your network perimeter, store the data itself securely with only specific authorized individuals having access. Do data encryption. Develop an organizational policy for handling personal data (and other sensitive or confidential data) and set up a staff training program accordingly. Consider additional protection when ing personal data over the internet, as is inherently insecure Principle 8 Personal data must not be transferred outside Nigeria unless adequate provisions are in place for its protection If a requirement exists to send or transfer data outside Nigeria, consider the following: Does the receiving country have an adequate Data Protection Guidelines legislation equivalent to that of Nigeria? Is it necessary to send the data as part of the fulfilment of a contract? Has the data subject consented? (Does the fair processing notice include a statement to the effect that it may be transferred outside Nigeria?) Is the data being processed outside of the Nigeria by another office of the same firm which is established within Nigeria? Is there a contract in place between the data controller and the receiving organization providing for adequate protection of personal data? Page 18

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy) PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard

More information

CROATIAN PARLIAMENT 1364

CROATIAN PARLIAMENT 1364 CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on

More information

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

Personal Data Act (1998:204);

Personal Data Act (1998:204); Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their

More information

Code of Conduct. Corporate Data Protection. We make ICT strategies work

Code of Conduct. Corporate Data Protection. We make ICT strategies work Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work

More information

Data Protection Standard

Data Protection Standard Data Protection Standard Processing and Transfer of Personal Data in Aker Solutions (Binding Corporate Rules) Aker Solutions www.akersolutions.com Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS Mr. Ryutaro Hatanaka Commissioner Financial Services Agency Government of Japan 3-2-1 Kasumigaseki Chiyoda-ku, Tokyo Japan 100-8967 Dr. Kunio Chiyoda Chairman Certified Public Accountants and Auditing

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

INERTIA ETHICS MANUAL

INERTIA ETHICS MANUAL SEVENTH FRAMEWORK PROGRAMME Smart Energy Grids Project Title: Integrating Active, Flexible and Responsive Tertiary INERTIA Grant Agreement No: 318216 Collaborative Project INERTIA ETHICS MANUAL Responsible

More information

DIFC LAW NO. 1 OF 2007

DIFC LAW NO. 1 OF 2007 DATA PROTECTION LAW DIFC LAW NO. 1 OF 2007 Consolidated Version (December 2012) Amended by Data Protection Law Amendment Law DIFC Law No. 5 of 2012 CONTENTS PART 1: GENERAL... 4 1. Title... 4 2. Legislative

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Data protection policy

Data protection policy Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data

More information

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not

More information

Comments and proposals on the Chapter II of the General Data Protection Regulation

Comments and proposals on the Chapter II of the General Data Protection Regulation Comments and proposals on the Chapter II of the General Data Protection Regulation Ahead of the trialogue negotiations in September, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal

More information

The supplier shall have appropriate policies and procedures in place to ensure compliance with

The supplier shall have appropriate policies and procedures in place to ensure compliance with Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

on the transfer of personal data from the European Union

on the transfer of personal data from the European Union on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP

More information

Data protection compliance checklist

Data protection compliance checklist Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

Data Protection Act a more detailed guide

Data Protection Act a more detailed guide Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data

More information

ANNEX 1. LAW ON PERSONAL DATA PROTECTION

ANNEX 1. LAW ON PERSONAL DATA PROTECTION ANNEX 1. LAW ON PERSONAL DATA PROTECTION UNOFFICIAL TRANSLATION 1 PARLIAMENT OF THE REPUBLIC OF MACEDONIA Pursuant to Article 75, Paragraphs 1 and 2 of the Constitution of the Republic of Macedonia, the

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007 Linde Integrity Line Process and Data Protection Policy 1 July 2007 Page 2 of 10 Table of Contents Preamble 3 1 Scope of application 3 2 Definitions 3 3 Submitting Reports Regular Channels 3 4 Submitting

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group Binding Corporate Rules Privacy (BCRP) Binding Corporate corporate Rules rules Privacy for (BCRP) the protection of personal Telekom Group rights in the handling of personal data within the Deutsche Telekom

More information

DRAFT BILL. The PRESIDENT OF THE REPUBLIC To be known that the National Congress decrees and I sanction the following Law.

DRAFT BILL. The PRESIDENT OF THE REPUBLIC To be known that the National Congress decrees and I sanction the following Law. DRAFT BILL Provides for the processing of personal data 1 to guarantee the free development of the natural person's personality and of its dignity. The PRESIDENT OF THE REPUBLIC To be known that the National

More information

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of. Opinion on a Notification for Prior Checking received from the Data Protection Officer of the European Training Foundation Regarding the Processing Operations to Manage Calls for Tenders Brussels, 22 April

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students University of Liverpool Online Programmes - Privacy Policy for Visitors and Students PLEASE NOTE: The following privacy terms relate to the University of Liverpool s online programmes and not The University

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Data Protection Good Practice Note

Data Protection Good Practice Note Data Protection Good Practice Note This explanatory document explains what charities and voluntary organisations need to do to comply with the Data Protection Act 1988 as amended by the Data Protection

More information

Personal Data Protection LAWS OF MALAYSIA. Act 709 PERSONAL DATA PROTECTION ACT 2010

Personal Data Protection LAWS OF MALAYSIA. Act 709 PERSONAL DATA PROTECTION ACT 2010 1 LAWS OF MALAYSIA Act 709 PERSONAL DATA PROTECTION ACT 2010 2 Laws of Malaysia ACT 709 Date of Royal Assent...... 2 June 2010 Date of publication in the Gazette......... 10 June 2010 Publisher s Copyright

More information

Data Protection Acts 1988 and 2003: Informal Consolidation

Data Protection Acts 1988 and 2003: Informal Consolidation Page 1 of 55 Data Protection Acts 1988 and 2003: Informal Consolidation IMPORTANT NOTICE This document is an informal consolidation of the Data Protection Acts 1988 and 2003, prepared by the Office of

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Privacy Policy. February, 2015 Page: 1

Privacy Policy. February, 2015 Page: 1 February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data modified by

Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data modified by Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data modified by the Law of 31 July 2006 the Law of 22 December 2006 the Law of 27 July

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0 PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner

More information

Personal Data Act (523/1999)

Personal Data Act (523/1999) 1 NB: Unofficial translation Personal Data Act (523/1999) Chapter 1 General provisions Section 1 Objectives The objectives of this Act are to implement, in the processing of personal data, the protection

More information

The Romanian Parliament adopts the present law. Chapter I: General Provisions

The Romanian Parliament adopts the present law. Chapter I: General Provisions Law No. 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, amended and completed The Romanian Parliament adopts the present law.

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

I. EBF KEY PRIORITIES. A. Data breach notification

I. EBF KEY PRIORITIES. A. Data breach notification D1391E-2012 29.10.2012 EUROPEAN BANKING FEDERATION PROPOSED AMENDMENTS TO THE EUROPEAN COMMISSION PROPOSAL FOR A REGULATION ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

More information

CHAPTER I GENERAL PROVISIONS

CHAPTER I GENERAL PROVISIONS Proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Data Protection A Guide for Users

Data Protection A Guide for Users Data Protection A Guide for Users EUROPEAN PARLIAMENT Contents Contents 3 Introduction 4 Data protection standards making a difference in the European Parliament 5 Data protection the actors 6 Data protection

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person. PART I: INTRODUCTION AND BACKGROUND Purpose This Data Protection Binding Corporate Rules Policy ( Policy ) establishes the approach of Fluor to compliance with European data protection law and specifically

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version November 3, 2015 1. Scope and order of precedence This agreement (the Data Processing Agreement ) applies to Oracle s Processing of Personal

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Preamble The highest level of personal data protection is particularly important for KCG Partners Law Firm. The purpose of this Data Protection Policy is to inform the visitors

More information

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY 1. Purpose 1.1 The Data Protection Act 1998 ( the Act ) has two principal purposes: i) to regulate the use by those (known as data controllers) who obtain,

More information

Principles Concerning the Protection of Personal Data in the Workplace: Guidelines for Employee Monitoring *

Principles Concerning the Protection of Personal Data in the Workplace: Guidelines for Employee Monitoring * 1 Unofficial Translation Principles Concerning the Protection of Personal Data in the Workplace: Guidelines for Employee Monitoring * The Office for Personal Data Protection, September 2007 In accordance

More information

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas

More information

CHAPTER 1 General Provisions. Article 1

CHAPTER 1 General Provisions. Article 1 Amendments 2004-01-01 Journal of Laws of 2002 No. 153, item 1271 Art. 52 2004-05-01 Journal of Laws of 2004 No. 33, item 285 Art. 1 2004-03-01 Journal of Laws of 2004 No. 25, item 219 Art. 181 2006-09-06

More information

Privacy Rules for Customer, Supplier and Business Partner Data

Privacy Rules for Customer, Supplier and Business Partner Data Privacy Rules for Customer, Supplier and Business Partner Data Contact details Philips Privacy Office c/o Philips International BV, Amstelplein 2, 1096 BC, the Netherlands. E-mail: Philips_Privacy_Office@philips.com

More information

Brussels, 20 July 2010 (Case 2009-0215) 1. Proceedings

Brussels, 20 July 2010 (Case 2009-0215) 1. Proceedings Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Investment Bank (EIB) concerning procedures related to "360 Leadership feedback report" Brussels,

More information

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Table of contents: ***

Table of contents: *** Table of contents: *** In Europe the issue of personal data protection is settled by European Parliament s and European Council s Directive 95/46/WE of October 24, 1995 (which is basis of Polish regulations)

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

POLICY. on the Protection of Personal Data of Persons of Concern to UNHCR DATA PROTECTION POLICY

POLICY. on the Protection of Personal Data of Persons of Concern to UNHCR DATA PROTECTION POLICY POLICY on the Protection of Personal Data of Persons of Concern to UNHCR DATA PROTECTION POLICY CONTENTS 2 DATA PROTECTION POLICY 1 GENERAL PROVISIONS... 6 1.1 Purpose... 7 1.2 Rationale... 7 1.3 Scope...

More information

International Data Protection Policy

International Data Protection Policy International Data Protection Policy Revised April 2013 Table of Contents Statement from the President and CEO... 5 Visteon International Data Protection Policy... 6 1.0 Purpose... 6 2.0 Scope... 6 3.0

More information

PRIVACY AND DATA SECURITY MODULE

PRIVACY AND DATA SECURITY MODULE "This project has been funded under the fourth AAL call, AAL-2011-4. This publication [communication] reflects the views only of the author, and the Commission cannot be held responsible for any use which

More information

TABLE OF CONTENTS. Maintaining the Quality and Integrity of Information. Notification of an Information Security Incident

TABLE OF CONTENTS. Maintaining the Quality and Integrity of Information. Notification of an Information Security Incident AGREEMENT BETWEEN THE UNITED STATES OF AMERICA AND THE EUROPEAN UNION ON THE PROTECTION OF PERSONAL INFORMATION RELATING TO THE PREVENTION, INVESTIGATION, DETECTION, AND PROSECUTION OF CRIMINAL OFFENSES

More information

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM On 25 January 2012, the European Commission published a proposal to reform the European data protection legal regime. One

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES GLOBAL FORUM 2009 ICT & The Future of the Internet - Monday, October 19 th 2009 paolo.balboni@bakernet.com Introduction & Structure ENISA Working Group

More information

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each; DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 This Notice sets forth the principles followed by United Technologies Corporation and its operating companies, subsidiaries, divisions

More information