IRISH BANKING FEDERATION DATA PROTECTION GUIDE MAY 2013

Size: px
Start display at page:

Download "IRISH BANKING FEDERATION DATA PROTECTION GUIDE MAY 2013"

Transcription

1 IRISH BANKING FEDERATION MAY 2013

2 1. INTRODUCTION...2 Data Protection and Other Legislation... 2 Definitions DATA PROTECTION PRINCIPLES Obtain and process data fairly Process it only for one or more specified, explicit and lawful purposes Use and disclose it only in ways compatible with the purposes for which it was obtained Keep it safe and secure Keep it accurate, complete and up-to-date Ensure that it is adequate, relevant and not excessive Retain it no longer than is necessary for the specified purpose or purposes Give a copy of his/her personal data to an individual, on request MANAGEMENT OF POSSIBLE BREACHES OF PERSONAL DATA SECURITY APPENDIX ONE - MARKETING OPTIONS TABLE

3 1. INTRODUCTION

4 1. Introduction Members of the Irish Banking Federation (IBF) collect and process personal data as an essential business activity. This activity is subject to the requirements of the Data Protection Acts 1988 and 2003 ( the Acts ), which are enforced by the Office of the Data Protection Commissioner (ODPC). The information set out in this Guide is aimed at Members of the IBF ( Member Institutions ), in order to set out their responsibilities when collecting and processing personal data. The Guide is not intended to be a complete description of the responsibilities and rights of Member Institutions when collecting and processing personal data. Member Institutions are supported, when required, by their legal advisers. It is the responsibility of each Member Institution to ensure compliance with Data Protection legislation and this guide is intended to assist Member Institutions in doing so, by way of providing guidance. It supports the individual Member Institution s procedures and guidelines for their employees in relation to compliance with Data Protection legislative requirements. The Guide is also aimed at customers and prospective customers of Member Institutions, in order to provide an easy reference guide to assist them in their understanding of what happens to their personal data in a financial context. However, the Guide is not intended to be a definitive or complete description of the rights and responsibilities of Member Institutions and any customer who has a concern as to the use of their personal data by a Member Institution should consult the Data Protection legislation. Member Institutions maintain information pertaining to data protection requirements on their websites to assist their customers. This Guide provides examples of everyday situations in a financial context to illustrate how Member Institutions comply with the legislation and how the principles of data protection are applied. The IBF is committed to promoting adherence to this Guide amongst its members. An up-to-date list of IBF members is available from the IBF website. ( The Guide has been prepared taking into account existing Data Protection legislation and guidance made available by the ODPC. The Guide will be reviewed and updated as required in line with changes to Data Protection legislation. This Guide is of use to any Member Institution that collects and processes personal data. If an individual wishes to ascertain his/her rights in relation to Data Protection legislation, he/she should examine the relevant legislation, visit the Data Protection Commissioner s website ( or contact the ODPC (LoCall ). A customer may also wish to refer to the Privacy Statement available on each Member Institution s website, which will advise of the privacy and security of a customer s information when used by that Member Institution. Data Protection and Other Legislation Due to the ever evolving legal and regulatory environment in which Member Institutions operate, the requirements to obtain and retain personal data in order to comply with or to evidence compliance with various legal and regulatory requirements may be subject to change. Member Institutions may seek legal advice or refer the matter to the ODPC for guidance where there may be apparent conflict between Data Protection legislation and other legislative requirements. In addition, the Revenue Commissioners has published a Guidance Note for Financial Institutions outlining the reporting requirements in relation to the return of interest and other payments under 2

5 the Return of Payments Regulations The Guidance Note is available on the Revenue Commissioners website at Definitions As with any legislation, certain terms have particular meaning. The following are some useful definitions in relation to data protection legislation: Access Request is a request by a customer to obtain a copy of any personal information relating to him/her kept on computer or in a structured manual filing system or intended for such a system by any Member Institution. Automated data means, broadly speaking, any information on computer, or information recorded with the intention of putting it on computer. Data means information in a form which can be processed. It includes both automated data and manual data. Data Controllers are those who, either alone or with others, control the contents and use of personal data. Data Controllers can be either legal entities such as companies, government departments or voluntary organisations, or they can be individuals such as medical professionals, pharmacists or sole traders. Data Processors are those who process personal data on behalf of a data controller, but do not include an employee of a data controller who processes such data in the course of his/her employment. Again, individuals such as medical professionals, pharmacists or sole traders may be considered to be legal entities. Data Processing has a broad definition within the meaning of the Acts. It includes: Obtaining, recording or storing data; Altering or adapting data; Combining, transferring, erasing or destroying data. Data Subject is an individual who is the subject of personal data. Guarantor is an individual who guarantees to pay for another individual s or entity s debt if the individual or entity defaults on the loan obligation. Manual data means information that is kept as part of a relevant filing system or with the intention that it should form part of a relevant filing system. Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This can be a very wide definition depending on the circumstances. Processing means performing any operation or set of operations on data, including: Obtaining, recording or keeping data; Collecting, organising, storing, altering or adapting data; Retrieving, consulting or using data; Disclosing the information or data by transmitting, disseminating or otherwise making it available; Aligning, combining, blocking, erasing or destroying data. 3

6 Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals or by reference to criteria relating to individuals so that specific information is accessible. Sensitive personal data relates to specific categories of data which are defined as data relating to a person s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; and trade union membership. Data subjects have additional rights in relation to the processing of sensitive personal data. 4

7 2. Data Protection Principles

8 2. Data Protection Principles Data protection is about a person s fundamental right to privacy. A person is entitled to access information and to correct data (personal information) that is stored about him/her. Organisations, including financial institutions, which retain data about a person, have to comply with data protection principles and data protection legislation. There are eight Data Protection principles, to which Member Institutions must adhere to in relation to Personal Data. These principles are described in this section of the Guide. 2.1 Obtain and process data fairly Principle Section 2 (1) (a) of the Acts requires that: "the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly" This is the fundamental principle of data protection. If an organisation wishes to obtain and retain personal data about individuals, it must collect and process (or use) that information fairly. This provision requires that: a. At the time of providing personal data, individuals are made fully aware of: The identity of the persons who are collecting it (though this may often be implied); To what use(s) the information will be put; The persons or category of persons to whom the information will be disclosed. b. Secondary or future uses, which might not be obvious to individuals, should be brought to their attention at the time of obtaining personal data. Individuals should be given the option of stating whether or not they wish their information to be used in these other ways. c. If a data controller has information about people and wishes to use it for a new purpose (which was not disclosed and perhaps not even contemplated at the time the information was collected), he or she is obliged to give an option to those individuals to indicate whether or not they wish their information to be used for the new purpose. This is how a data controller achieves transparency and informed consent - the touchstones of fairness in data protection. In practice Member Institutions obtain and process personal data at the start of an individual s (customer) relationship e.g., in order to open accounts, provide loans and credit cards, and/or to comply with anti-money laundering or other relevant legislation. Member Institutions may, where the individual has consented, also obtain and process information throughout the lifetime of the relationship with customers, in order to provide other products or services, or to correspond with them in relation to existing or other products and services that may be of interest to them. 5

9 Examples in a Banking Context Where a Member Institution processes personal data (information), it will be collected and processed fairly i.e.: a. Member Institutions will make clear on application forms and other appropriate documentation, including on websites, the identity of the data controller, the purpose(s) for collecting personal data, and to whom it may be disclosed. Examples of why Member Institutions collect personal data include the following: Consent to use and process the information provided to open an account or transact the requested business activity; To establish a person s identity and home address to comply with legislative and regulatory requirements; To have sufficient information to enable the Member Institution to make a decision on a loan application. b. Where a Member Institution wishes to use personal data for purposes unrelated to that for which the Member Institution obtained the personal data under (a) above, the Member Institution will seek the individual s consent prior to using the personal data for the new purpose(s) e.g., to offer a different service or a different way of delivering a service. c. Where a Member Institution collects and processes sensitive personal data 1 (within the meaning of the Acts) the individual, to whom the personal data relates, must give explicit consent, unless it is otherwise permitted under the Acts e.g., personal medical records for the purposes of providing life assurance products. d. Member Institutions will advise individuals when it is intended to record telephone calls and all of the purposes for the recording e.g., for training purposes, regulatory requirements such as Stock Exchange rules, telephone sales records and distant marketing. This also relates to the recording of outbound calls, if applicable. e. Member Institutions will obtain the individual s consent to search the database of a credit reference agency. Member Institutions will only search a credit reference agency if the product/service concerned involves credit being facilitated or has the potential for credit to be facilitated, e.g., a current account with an overdraft facility or when managing clients in financial difficulty. 1 Sensitive Personal Data as defined by the Data Protection Acts means personal data as to - (a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject; (b) whether the data subject is a member of a trade-union; (c) the physical or mental health or condition or sexual life of the data subject; (d) the commission or alleged commission of any offence by the data subject; or (e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings. 6

10 2.2 Process it only for one or more specified, explicit and lawful purposes Principle Section 2 (1) (c) (i) of the Act specifies that: "the data shall have been obtained only for one or more specified explicit and legitimate purposes" An organisation may not keep information about individuals unless it is held for a specific, lawful and clearly stated purpose. It is therefore unlawful to collect information about individuals routinely and indiscriminately, without having a sound, clear and legitimate purpose for so doing. Data controllers, who are required to register with the Data Protection Commissioner, include in their register entry a statement of the purpose for holding personal data. This information is publicly available on the Data Protection Commissioners website. (Please refer to If those data controllers keep or use personal data for any purpose other than the specified purpose, they may be guilty of an offence. In practice Personal Data is obtained by Member Institutions to process applications, to set up accounts, to administer products and services, to undertake credit searches, for possible future direct marketing and to fulfil other legal obligations e.g., anti-money laundering legislation. Examples in a Banking Context Member Institutions will only collect and hold personal data on the basis that they have a clear and legitimate purpose for doing so. For example: a. Member Institutions are now required by law to request a copy of an individual s Tax Reference Number (TRN) when an account is opened on which an individual can potentially earn credit interest. Under the EU Savings Tax Directive, non-irish citizens may also be requested to provide details of their equivalent social insurance numbers. Member Institutions are also required to report to tax authorities the amount of interest their customers have earned in line with Revenue requirements (for details please refer to This information will not be used for any other purpose. Account opening can proceed if a person does not provide a Personal Public Service Number (PPSN)/TRN. b. Member Institutions must maintain records concerning individuals' identity (such as copies of passports or drivers licence), evidence of address (such as copies of utility bills), and other relevant data for specified periods of time under European and International legislation which is designed to combat money laundering and terrorist financing. c. Member Institutions may be required to retain documentation and information about individuals for longer periods of time where, for example, a direction is placed on a Member Institution by a statutory body e.g., Revenue Commissioners or in cases of litigation. (See Section 2.7 on retention requirements.) d. Member Institutions may record and retain CCTV images for legitimate purposes, such as security, and the prevention and detection of fraud. Normally, images will not be retained for longer than one month. However, they can be retained for longer where certain incidents require the Member Institutions to do so e.g., to facilitate the investigation of security incidents 7

11 or suspected fraud. Access to and disclosure of images will be carefully controlled. Member Institutions should also display appropriate signage to identify the use of CCTV. e. Member Institutions may use fairly obtained information for the direct marketing of products and services to customers and non-customers. f. Member Institutions will respect a customer s decision to opt-in or to opt-out of the receipt of direct marketing communications. These preferences will be recorded and adhered to by the relevant Member Institution. Member Institutions will advise individuals every time on how to opt-out of future direct marketing communications. g. Member Institutions will, at all times, ensure that they adhere to their responsibilities in relation to direct marketing in line with the Acts, the Consumer Protection Code and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations, 2011, and any other legislative or regulatory requirements as appropriate. h. A table setting out the type of consent that is required for marketing purposes is included in Appendix One. 2.3 Use and disclose it only in ways compatible with the purposes for which it was obtained Principle Section 2 (1) (c) (ii) of the Act specifies that: "the data shall not be further processed in any manner incompatible with that purpose or those purposes" If personal information is obtained for a particular purpose, it may not be used for any other purpose, and may not be divulged to a third party, except in ways that are "compatible" with the specified purpose for which it was given. A key test of compatibility is whether the data is used and disclosed in a way in which those who supplied the information would expect it to be used and disclosed. The question to ask is would the data subject be surprised if he/she found out what their data was being used for and who the data was being used by. Transfers of personal data to an agent, who is processing the data on behalf of another organisation and not retaining it for his/her own purposes, do not constitute "disclosures" of data for the purposes of the Act and are acceptable. Examples of such transfers would include the transfer of staff data to a separate payroll company for payroll administration purposes, transfer of data to an agent for the purposes of processing customer payments where an appropriate written contract is in place and the transfer of personal data from a general practitioner to a clinical laboratory for analysis of tissue samples. The restriction on processing of personal data (including disclosure to a third party) is lifted in a limited number of circumstances, specified in Section 8 of the Data Protection Acts, where the right to privacy must be balanced against other needs of civil society, or where the processing is in the interests of the individual. For example, processing of personal information required in the interests of protecting the international relations of the State; required urgently to prevent injury or other 8

12 damage to the health of a person, or serious loss or damage to property; required by or under any enactment or by a rule of law or order of court. The ODPC sets out further guidance in relation to the legal basis for private sector sharing of personal data on its website at: e_pr/530.htm In practice Where a Member Institution obtains personal data for a particular purpose(s), the personal data will not be used or disclosed, except in ways that are compatible with that particular purpose(s), unless otherwise permitted under the Acts. Examples in a Banking Context Persons to whom personal data may potentially be disclosed include the following: a. Person s acting on the individual s (data subject s) behalf e.g., solicitors, executors, intermediaries (provided the data subject has given written authority for the person to act on their behalf). Member Institutions will not disclose customer s personal data to other external third parties without their consent. The Member Institution should always check that the person is authorised to act for the data subject and that the Institution is authorised to furnish the person with the data subject s information. If in doubt, Member Institutions should check with their Legal Advisers before releasing any data to a third party. b. The Financial Services Ombudsman, the Pensions Ombudsman, the ODPC, the Central Bank of Ireland, or equivalent foreign supervisory body, or complaints body to whom a complaint has been made. c. Other group companies in pursuit of the company's legitimate business interests. Subject to local laws, personal data may be shared between group companies without consent, assuming a legitimate business purpose and notice to the customer. In the case of Ireland, the UK and US, there is no consent requirement for transfers of data between group companies. d. An Garda Síochána, the Central Bank of Ireland, the Office of the Revenue Commissioner, the ODPC or any other entity authorised by law to access individuals records. Such requests must be in writing stating the legal basis on which access is sought. e. Third party service providers to Member Institutions (e.g., external investigators, fraud prevention agencies, debt collection and/or recovery agents, firms responsible for computer maintenance or similar services, solicitors or other contractors/service providers etc.) provided appropriate contracts (which include security and confidentiality clauses) are in place. The ODPC s Annual Report 2011 includes a case study of the use of personal data by Private Investigators. The case study (Case Study 13) is available on page 63 of the link below: f. Guarantors, i.e., persons guaranteeing repayment of a facility to a customer, particularly in respect of arrears and recoveries, and limited to data in relation to the facilities guaranteed by the Guarantor. 9

13 2.4 Keep it safe and secure Principle Section 2 (1) (d) of the Act requires that: "Appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network and against all other unlawful forms of processing" The security of personal data is all-important. It will be more significant in some situations than in others, depending on such matters as confidentiality and sensitivity. High standards of security are, nevertheless, essential for all personal data. Both data controllers and data processors must meet the requirement to keep data secure and not expose it to any unauthorised access. The ODPC provides the following guidance in relation to data security: Appropriate security measures In determining what security measures should be put in place in order to satisfy the requirements of section 2 (1) (d) a number of factors may be taken into consideration, including: The state of technological development - measures must be reviewed over time; The cost of implementing the measures - larger organisations with greater resources can be expected to implement more advanced measures, or update measures more regularly, than smaller bodies; The harm that might result from unlawful processing - might someone be at a financial loss or be at risk of suffering injury as a result of disclosure or destruction of data? For example, a third party could gain access to the data subject s personal data and use the data for unlawful purposes; The nature of the data concerned - there is a greater duty of care relating to the processing of sensitive personal data. Staff training and compliance A data controller or a data processor shall also ensure that staff are aware of the security measures. This requirement may be satisfied by having appropriate training in place e.g., web-based training courses on data protection, induction courses and day-to-day training. A data controller or a data processor is also responsible for ensuring that staff comply with these measures. This requirement may be satisfied by the automatic generation of audit trails or logs, combined with some form of internal audit or review procedure i.e., the data controller or data processor can check what accounts staff are accessing and that it is appropriate for them to access the accounts. In practice Member Institutions have their own security policies in place in respect of customers and employees personal data. Member Institutions will ensure that appropriate security measures (both physical and technological) are in place against unauthorised access to, alteration of, disclosure of, or destruction of personal data, and against its accidental loss or destruction. These security measures will have regard to the nature of the data concerned and the potential to cause harm by the 10

14 disclosure of that data, and will be implemented on a case-by-case basis. Member Institutions will ensure that security measures are reviewed on a regular basis having regard to technological developments and the cost of implementing measures. Examples in a Banking Context a. Member Institutions will apply appropriate security standards to the transmission of personal data to ensure that data is kept safe and secure. b. Each Member Institution will take reasonable steps to ensure that its employees and third party contractors/service providers are made aware of its security standards and comply with them. This can be undertaken through training and monitoring of security standards and by ensuring adherence to security standards is built into contracts with third party service providers. c. Where personal data is transferred to a third party outside the European Economic Area (EEA), the Institution will ensure that the required data protection conditions are in place, including an appropriate contract. This is to assist in ensuring the security of the personal data being transferred outside of the EEA. d. Member Institutions will have particular regard to the following areas: i. Clear access controls will be in place as appropriate to each Member Institution, so that personal data is only available to those people within the organisation that have a business requirement for such access i.e., personal data should not be viewed or processed by staff that do not have a requirement to view it; ii. Member Institutions will ensure access to personal data is appropriate and monitored as IT systems are developed; iii. Appropriate procedures will be in place in relation to back-up of personal data and personal data contained in data server rooms; iv. Computer systems will be password protected to ensure the data is protected; v. Portable equipment (such as laptops, USB sticks and Blackberry Devices) will be appropriately secured e.g., password protected with other factors of authentication, as appropriate to the sensitivity of the information, to ensure the data is protected; vi. Personal data on computer screens and manual files will be inaccessible to public viewing to ensure the confidentiality of the data; vii. Personal data will be disposed of securely when no longer required e.g., shredding of paper, hard drives on PCs wiped to ensure it does not get into third party hands that may use it for unlawful purposes; viii. Member Institutions will have customer meeting centres available, that allow for meetings/conversations with individuals to take place where they cannot be overheard; ix. Only authorised persons within Member Institutions will access, for authorised purposes, credit reference agencies. e. Where a Member Institution engages the services of an agent (for example a tracing agent for the purposes of debt recovery) or of a third party contractor or service provider to process personal data on its behalf, it will take the following steps to ensure that data protection standards are maintained: i. A Member Institution will only transfer personal data to a data processor on the basis of a written contract (or a contract in equivalent form) to ensure the data processor is legally bound to ensuring data protection standards are maintained; ii. The contract will require the data processor to apply appropriate security measures and to comply with all relevant Data Protection legislation; 11

15 iii. iv. The contract will require that the data processor will process the personal data only on the basis of the authorisation and instructions received from the Institution. The contract will also require that the personal data is not retained or used by the data processor for its own purposes; Each Member Institution will satisfy itself that the data processor has suitable technical security measures and organisational measures in place to ensure compliance with data protection legislation. 2.5 Keep it accurate, complete and up-to-date Principle Section 2 (1) (b) of the Act requires that: "the data shall be accurate and complete and, where necessary, kept up-to-date." An organisation must ensure that the personal data it keeps is accurate and up-to-date. An obligation also exists with the customer to ensure the organisation is updated where amendments are required to his/her personal information i.e., change of address/contact details. Apart from ensuring compliance with the Acts, this requirement has an additional importance in that an organisation may be liable to an individual for damages if it fails to observe the duty of care provision in the Act applying to the handling of personal data. In practice Each Member Institution will ensure that: a. Its procedures are adequate to ensure appropriate levels of personal data accuracy; b. Where there are inaccuracies in the personal data held, the Member Institution will correct these errors no later than 40 calendar days after they are identified or brought to its attention by the data subject. Note: A customer or an employee has a responsibility to inform the Member Institution of any relevant changes to his/her personal information in accordance with that Institution s procedures e.g., a link on a website, internet banking messages, customer engagement to prompt individuals to advise the Institution of any changes to personal data. Examples in a Banking Context Member Institutions will update their records/systems with new information as it is received from a customer in accordance with the Member Institution s procedures. Such new information may include change of address details, a new phone number, change in marital status etc. New information may also include any inaccuracies noted by a customer and this will be amended by the Member Institution as soon as possible. Member Institutions will ensure that any information received from a customer is recorded accurately on their IT systems in accordance with the Member Institution s procedures. For example, when a customer notifies of a change in address, the Member Institution will update its records to ensure that the customer receives all correspondence to the new address. 12

16 2.6 Ensure that it is adequate, relevant and not excessive Principle Section 2 (1) (c) (iii) of the Act requires that: "the data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed" Personal data retained by an organisation should be sufficient to enable an organisation to achieve its purpose and no more. Personal data should not be collected or kept if it is not needed, "just in case" a use can be found for the data in the future. An organisation should not ask intrusive or personal questions if the information obtained in this way has no bearing on the specified purpose for which personal data is held. In practice a. Member Institutions will not collect any more personal data than is necessary for the purpose for which it is required. b. The collection of personal data from individuals will be kept under review to ensure that only relevant information is sought and provided e.g., periodic review of application forms. Examples in a Banking Context Member Institutions will ensure that all product application forms only contain information which is relevant to the product being applied for by the customer. Where additional information is requested, this information will be optional for the customer to provide. For example, when a customer is opening a savings account, the Member Institution will not seek employment information as this type of information would only be relevant if the customer was seeking credit facilities i.e., a loan. Legal/Compliance Departments in Member Institutions will review new documentation (i.e., product application forms) to ensure compliance with adequacy rules, relevance and that information being requested or collected is not excessive. 2.7 Retain it no longer than is necessary for the specified purpose or purposes Principle Section 2 (1) (c) (iv) of the Act requires that: "the data shall not be kept for longer than is necessary for that purpose or those purposes" Nowadays personal data can be kept cheaply and effectively on computer. This requirement places a responsibility on data controllers to be clear about the length of time that data will be kept and the reason why the information is being retained. If there is no good reason for retaining personal data, then that data should be routinely deleted. Personal data should never be kept "just in case" a use can be found for it in the future. 13

17 Particular attention should be paid to old information about former customers or clients, which might have been necessary to hold in the past for a particular purpose, but which does not need to be held any longer. If a Member Institution wishes to retain personal data about customers to help provide a better service to them in the future, it must obtain the customer s consent in advance. Good housekeeping would also dictate that the need to retain records is reviewed regularly. In practice a. Each Member Institution will ensure that it has a data retention/disposal policy for both customers and non-customers/potential customers. b. Member Institutions will retain personal data only for periods necessary for the specified purpose(s) or as required by relevant legislation/statutory codes or other regulatory direction. For example, under the Consumer Protection Code, personal data, gathered in relation to the provision of products and services, will be held for a period of 6 years after the ending of the client relationship. c. In certain circumstances, Member Institutions may be required to retain personal data for longer periods of time where, for example, an order is placed on a Member Institution by the Office of the Revenue Commissioners. In other circumstances, Member Institutions may be permitted to retain personal data for longer periods of time, where the provisions of Section 8 of the Data Protection Acts apply e.g., where a Member Institution is required by law to retain the personal data. Examples in a Banking Context Information obtained from an individual for the purpose of a specific once-off event, e.g., a competition, will only be used for the purpose of that competition. Member Institutions will ensure that when destroying data under a retention and disposal policy that the data for destruction will be destroyed securely. In the event that a customer provides a Member Institution with personal information to get an insurance quote, the Member Institution should only use the personal data to provide the customer with the insurance quote. The customer should be advised what the Member Institution will do with the data provided. If the customer does not proceed with taking out an insurance policy, the data provided should be destroyed and not used at a later date for another purpose e.g., at next renewal to offer a lower quote to the customer. Member Institutions will comply with regulatory obligations in relation to retention periods for insurance quotes given. If the customer wishes to accept the quote and proceeds with an application, the Member Institution should provide a full Data Protection Notice to the customer advising him/her exactly how their personal data will be used. In the event that a customer makes a complaint, the data provided by the customer in relation to the complaint should only be used for investigating and resolving the complaint. The data provided should be retained for as long as is necessary to comply with the relevant regulatory requirements e.g., the Consumer Protection Code. The data should be destroyed in line with the Member Institution s destruction policy. 14

18 2.8 Give a copy of his/her personal data to an individual, on request Principle Under section 4 of the Data Protection Acts, on making a written request, any individual about whom an organisation keeps personal data on computer or in a relevant filing system is entitled to: A copy of the data; A description of the purposes for which it is held; A description of those to whom the data may be disclosed; and The source of the data unless this would be contrary to public interest. An organisation is also obliged to explain to the data subject the logic used in any automated decision making process where the decision significantly affects the individual and the decision is solely based on the automated process. This "right of access" is subject to a limited number of exceptions, which are listed below. An individual making an access request must: Apply to the organisation in writing; Give any details which might be needed to help identify him or her and locate all the information that may be kept about him/her (e.g., previous addresses, customer account numbers). The individual must also pay an access fee if one is charged. Organisations are entitled to charge up to a maximum of 6.35, although in some instances, this fee can be waived. Every individual, about whom a data controller keeps personal data on computer or in a relevant filing system, has a number of other rights under the Acts in addition to the Right of Access. These include the right to have any inaccurate information rectified or erased, to have personal data taken off a direct marketing or direct mailing list and the right to complain to the Data Protection Commissioner. More details about the rights of individuals are given on the website of the ODPC. There are a number of situations where exemptions apply to a right of access to data. Sections 4 and 5 of the Data Protection Acts set out a number of circumstances in which a person s right to see his/her personal records can be limited. The ODPC outline that this is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society on the other hand. The exemptions include: 1. If the information is kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing/collecting any taxes or duties, but only in cases where allowing the right of access would be likely to impede any such activities Note: It would obviously be unacceptable to allow a criminal suspect to see all of the information kept about him by An Garda Síochána, where this would be likely to impede the effectiveness of the criminal investigation. On the other hand, however, if allowing an individual access to personal data about him or her would not be likely to impede an investigation, then the access request would have to be complied with. Case Study 2/04 on the ODPC Website provides an example of such a scenario: ) 15

19 2. If granting the right of access would be likely to impair the security or the maintenance of good order in a prison or other place of detention; 3. If the information is kept for certain anti-fraud functions, but only in cases where allowing the right of access would be likely to impede any such functions; 4. If granting the right of access would be likely to harm the international relations of the State; 5. If the information concerns an estimate of damages or compensation in respect of a claim against the organisation, where granting the right of access would be likely to harm the interests of the organisation: For example, arrears cases where the case has progressed to court and the customer may be trying to determine what write-off amount (if any) a bank may have factored against their loan; 6. If the information would be subject to legal professional privilege in court: For example, data from a legal adviser to an Institution relating to the requestor; 7. If the information is kept only for the purpose of statistics or carrying out research, but only where the information is not disclosed to anyone else, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved; 8. If the information is back-up data. It is important to note that if a Member Institution has recently fulfilled an Access Request for an individual (e.g., within the previous year), it does not have to fulfil another Access Request in relation to the same information. In practice A data subject is entitled to a copy of his/her personal data as provided for under Data Protection legislation. a. To make a request the individual should apply in writing, giving any details which are necessary to help the Institution identify him/her and locate the relevant personal data. Contact details to assist with making such requests should be available in a number of places, for example on application forms, in booklets setting out Terms & Conditions, various brochures and on IBF Members websites etc. The data subject may be required to pay an access fee, which will not exceed the prescribed amount. The fee will be refunded if the request is not processed, or if it is necessary to rectify, supplement or erase the personal data concerned. b. When a written access request is made and personal data is held by the Institution, the Institution will: i. Provide the personal data requested to the individual within 40 calendar days of receiving the request and the applicable fee, if requested; ii. Provide the personal data in a form which will be clear to the ordinary person, as far as possible; 16

20 iii. iv. Ensure the personal data is given only to the data subject (or someone acting on his/her behalf and with his/her written authority); Not provide the response over the phone. Please note that the statutory deadline for an Institution to respond to an access request may be extended by the time it takes the individual to provide the Institution with details which might reasonably be needed to help identify him/her, and to locate all the information that may be kept about him/her. c. The Institution may request ID from the data subject to ensure that the material collated on foot of the request is provided to them and not to an unauthorised third party. d. Institutions will have documented procedures in place to ensure that all applicable manual and electronic files are checked for the personal data in respect of whom the access request is being made. e. A data subject will not be entitled to certain information e.g., data held for the prevention or detection of fraud, third party information, or opinions given in confidence. f. Where a very broad request is received, it can be helpful to contact the data subject to assess whether the request can be better scoped to fully meet the specific requirements of the data subject. g. If an Institution does not comply with an Access Request, a data subject may make a complaint to the ODPC. It is recommended that the data subject contact the Institution to indicate their intention to complain to the ODPC as the issue may be addressed prior to the complaint going to the ODPC. Examples in a Banking Context The Access Request Pack is usually sent to the data subject by post (sometimes registered), courier or collected by the requestor at a bank branch convenient to the data subject. In the event of an Access Request on a joint account from one of the customers only, a Member Institution may seek the consent of the other party to the account before releasing any information. If consent is not given or is not forthcoming, the data relating to the other party will be redacted before being released to the requestor. In the event that an individual seeking his/her information is linked to a Limited Company, relevant personal information relating to that individual will be provided on foot of an Access Request. This may include, for example, copies of identification documents provided by that person at account opening such as a copy of a passport or address verification. Information in respect of a Limited Company is not in scope under the Acts and will therefore not be disclosed on foot of an Access Request. In the current environment, many customers are experiencing financial difficulty and may be engaged in legal proceedings with their financial institution. There may be an order for discovery (discovery order) made on that institution as part of the legal proceedings. The customer may also seek an Access Request from the institution and it can often be the case that a lot of the information requested by the customer under an Access Request is similar to the information sought by way of the discovery order. However, a discovery order does not negate the 17

21 obligations of the data controller to provide the data subject with a copy of the personal information requested from his/her file. A discovery order should always be treated as a separate request. 18

22 3. MANAGEMENT OF POSSIBLE BREACHES OF PERSONAL DATA SECURITY

23 3. Management of possible breaches of personal data security A personal data breach is an unintended release of a customer s personal information to an external environment or person. An example of a data breach is if correspondence is sent to somebody other than the person for whom it was intended. Each Member Institution has appropriate reporting mechanisms in place in respect of personal data breaches, in accordance with the ODPC s Personal Data Security Breach Code of Practice. This Code requires that all incidents in which personal data has been put at risk should be reported to the ODPC as soon as the data controller becomes aware of the incident, except when the full extent and consequences of the incident has been reported, without delay, directly to the affected data subject(s) and it affects no more than 100 data subjects and it does not include sensitive personal data or personal data of a financial nature. In case of doubt, in particular any doubt related to the adequacy of technological risk-mitigation measures, a data controller should report incidents to the ODPC. Exception: If the data concerned is protected by technological measures which make it unintelligible to any person who is not authorised to access it e.g., personal data stored on an encrypted laptop with secure access controls. Even where there is no notification to the ODPC, the data controller should keep a summary record of each incident which has given rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data. The record should include a brief description of the nature of the incident and an explanation of why the data controller did not consider it necessary to inform the ODPC. Such records should be provided to the ODPC upon request. Member Institutions each operate to their own data breach procedures in accordance with the ODPC s Code of Practice. If a customer is concerned that his/her personal data has been the subject of a data breach, the customer should contact his/her financial institution to discuss any concerns. 19

24 Appendix One - Marketing Options Table The following table sets out the marketing requirements of not only the Data Protection Acts 1988 and 2003, but also requirements set out in the applicable sections of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. 336 of 2011 (the Regulations), which transpose E-Privacy Directive 2009/136/EC, which came into operation on 1 st July Individual Customer (existing customer) Postal Marketing Text/ Marketing Individual Non-Customer Opt-Out Opt-In Business Contacts (Customer & Non-Customer) Phone Marketing to Landlines Fax Marketing Phone Marketing to Mobile Phones Opt-Out Opt-out Opt-Out Opt-out Opt-out Opt-out Opt-In Opt-In if on NDD*, Opt-Out otherwise Opt-In if on NDD, Opt-Out otherwise Opt-In Opt-In if on NDD, Opt-Out otherwise Opt-In Opt-In *NDD - National Directory Database Opt-in means that a Member Institution can only market an individual where it has obtained the individual s explicit consent to do so. Opt-out means that a Member Institution can market an individual provided it has given him/her the option not to receive such marketing and he/she has not availed of this option. For electronic communication to a business, an option to unsubscribe must be included. 20

25 The Irish Banking Federation (IBF) is the principal voice of the banking and financial services sector in Ireland, representing over 70 member institutions and associates, including licensed domestic and foreign banks and institutions operating in the financial marketplace here. Nassau House, Nassau Street, Dublin 2, Ireland. Tel: Fax:

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

Code of Practice on Data Protection for the Insurance Sector

Code of Practice on Data Protection for the Insurance Sector Code of Practice on Data Protection for the Insurance Sector (Approved by the Data Protection Commissioner under Section 13 (2) of the Data Protection Acts, 1988 and 2003) Forward I am very happy to be

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Data Protection Good Practice Note

Data Protection Good Practice Note Data Protection Good Practice Note This explanatory document explains what charities and voluntary organisations need to do to comply with the Data Protection Act 1988 as amended by the Data Protection

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0 PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

DATA PROTECTION AUDIT GUIDANCE

DATA PROTECTION AUDIT GUIDANCE DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Data protection policy

Data protection policy Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data

More information

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection for the Guidance Counsellor. Issues To Plan For Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

How To Understand The Data Protection Act

How To Understand The Data Protection Act DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

Data Protection Act a more detailed guide

Data Protection Act a more detailed guide Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data

More information

Data Protection and Privacy Policy

Data Protection and Privacy Policy Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation.

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Data Protection in the Charity & Voluntary Sector

Data Protection in the Charity & Voluntary Sector 1 Data Protection in the Charity & Voluntary Sector Guidelines April 2011.Version 5.0 Office of the Data Protection Commissioner 2 CONTENTS Page INTRODUCTION 3 1. Key Recommendations 4 2. Donor Databases

More information

The Manchester College

The Manchester College The Manchester College The Manchester College Produced by TMC Prin DataProtect pol v1 11/2010 All rights reserved; no part of this publication may be photocopied, recorded or otherwise reproduced, stored

More information

Data Compliance. And. Your Obligations

Data Compliance. And. Your Obligations Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS 1. SCOPE This policy details the College s privacy policy and related information handling practices and gives guidelines for access to any personal information retained by the College. This includes personal

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not

More information

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011 STATUTORY INSTRUMENTS. S.I. No. 336 of 2011 EUROPEAN COMMUNITIES (ELECTRONIC COMMUNICATIONS NETWORKS AND SERVICES) (PRIVACY AND ELECTRONIC COMMUNICATIONS) REGULATIONS 2011 (Prn. A11/1165) 2 [336] S.I.

More information

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data 1. Introduction Special data protection rules apply to the protection of Personal Data by Data Controllers in the electronic communications sector. These are in addition to the general obligations that

More information

Credit Union Code for the Protection of Personal Information

Credit Union Code for the Protection of Personal Information Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Information Handling Policy

Information Handling Policy Information Handling Policy 10 December 2015 Information Handling Policy 1. Who We Are 1.1 In this Information Handling Policy, references to we, our, us and ClearView are to ClearView Wealth Limited and

More information

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

CROATIAN PARLIAMENT 1364

CROATIAN PARLIAMENT 1364 CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on

More information

Bacstel-IP. Customer Agreement for the Bacstel-IP Direct Service

Bacstel-IP. Customer Agreement for the Bacstel-IP Direct Service Bacstel-IP Customer Agreement for the Bacstel-IP Direct Service Customer Agreement for the Bacstel-IP Direct Service 1. INTRODUCTION This agreement relates to the provision of the Bacstel-IP Service (

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

Data Protection Acts 1988 and 2003: Informal Consolidation

Data Protection Acts 1988 and 2003: Informal Consolidation Page 1 of 55 Data Protection Acts 1988 and 2003: Informal Consolidation IMPORTANT NOTICE This document is an informal consolidation of the Data Protection Acts 1988 and 2003, prepared by the Office of

More information

Data Protection Policy

Data Protection Policy Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;

More information

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

PRIVACY POLICY. comply with the Australian Privacy Principles (APPs); ensure that we manage your personal information openly and transparently; PRIVACY POLICY Our Privacy Commitment Glo Light Pty Ltd A.C.N. 099 730 177 trading as "Lighting Partners Australia of 16 Palmer Parade, Cremorne, Victoria 3121, ( LPA ) is committed to managing your personal

More information

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy) PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard

More information

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school

More information

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007 Linde Integrity Line Process and Data Protection Policy 1 July 2007 Page 2 of 10 Table of Contents Preamble 3 1 Scope of application 3 2 Definitions 3 3 Submitting Reports Regular Channels 3 4 Submitting

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

Information Privacy Policy

Information Privacy Policy Information Privacy Policy pol-032 Version: 2.01 Last amendment: Oct 2014 Next Review: Aug 2017 Approved By: Council Date: 04 May 2005 Contact Officer: Director, Strategic Services and Governance INTRODUCTION

More information

The supplier shall have appropriate policies and procedures in place to ensure compliance with

The supplier shall have appropriate policies and procedures in place to ensure compliance with Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

on the transfer of personal data from the European Union

on the transfer of personal data from the European Union on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP

More information

Information Paper for the Legislative Council Panel on Financial Affairs. Protection of Consumer Credit Data

Information Paper for the Legislative Council Panel on Financial Affairs. Protection of Consumer Credit Data LC Paper No. CB(1)691/03-04(01) Information Paper for the Legislative Council Panel on Financial Affairs Protection of Consumer Credit Data Purpose Pursuant to the request by the Panel vide the Clerk to

More information

Evolve Financial Solutions Mortgage & Insurance Services & Costs

Evolve Financial Solutions Mortgage & Insurance Services & Costs Evolve Financial Solutions Mortgage & Insurance Services & Costs Authorisation Statement Evolve Financial Solutions is Authorised and Regulated by the Financial Conduct Authority (FCA). The FCA regulates

More information

PRIVACY AND CREDIT REPORTING POLICY

PRIVACY AND CREDIT REPORTING POLICY PRIVACY AND CREDIT REPORTING POLICY 12 March 2014 CONTENTS What is personal information?...3 Information we may collect, use and disclose about you...4 Collection of sensitive information...6 How personal

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

How To Protect Your Data In European Law

How To Protect Your Data In European Law Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

Information Security Policy. Appendix B. Secure Transfer of Information

Information Security Policy. Appendix B. Secure Transfer of Information Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document

More information

Data Protection for Charities

Data Protection for Charities Data Protection for Charities CFG 15 May 2014 Overview Overview and key definitions The data protection principles Fair and lawful processing Data security and outsourcing Rights of data subjects Recent

More information

Data Protection Act 1998 Codes of Practice. The Employment Practices DP Code Part 1: Recruitment and Selection

Data Protection Act 1998 Codes of Practice. The Employment Practices DP Code Part 1: Recruitment and Selection Data Protection Act 1998 Codes of Practice The Employment Practices Data Protection Code CONTENTS CONTENTS... 1 Who is the Code for?... 3 Why should you use it?... 3 Other parts of the Code... 3 Five sections...

More information

ANZ Privacy Policy PROTECTING YOUR PRIVACY 07.15

ANZ Privacy Policy PROTECTING YOUR PRIVACY 07.15 ANZ Privacy Policy PROTECTING YOUR PRIVACY 07.15 Contents Introduction to ANZ s Privacy Policy 4 Collecting your personal information 6 Using your personal information 9 Disclosing your personal information

More information

Data protection. The employment practices code

Data protection. The employment practices code Data protection The employment practices code Contents 3 Contents About the code 4 Managing data protection 11 Good practice recommendations 11 Part 1: Recruitment and selection 14 About Part 1 of the

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

PRIVACY POLICY Personal information and sensitive information Information we request from you

PRIVACY POLICY Personal information and sensitive information Information we request from you PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage

More information

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.

More information

Pacific Smiles Group Privacy Policy

Pacific Smiles Group Privacy Policy Pacific Smiles Group Privacy Policy Pacific Smiles Group Limited and its related bodies corporate (PSG, we, our, us) recognise the importance of protecting the privacy and the rights of individuals in

More information