2 Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and others. Personal Data includes information identifying living individuals kept as written records (both paper-based and electronic) and in other formats, such as CCTV recordings. (Please see the "What is Personal Data" section of this policy for more details). Collection and processing of Personal Data is subject to a variety of legal requirements. It is the responsibility of apetito to demonstrate how it complies with these legal requirements and that it has procedures in place to handle personal information securely and appropriately. It is vital that apetito operates to a very high standard. Failure to do so can have serious commercial and legal implications for apetito's business. By law, apetito must comply with the eight data protection principles. These are set out in the Data Protection Act of 1998 ("DPA"), which in summary, require that Personal Data must be: Principle 1: processed fairly and lawfully Principle 2: processed for limited purposes Principle 3: adequate, relevant and not excessive Principle 4: accurate and up to date Principle 5: not kept longer than necessary for the purpose Principle 6: processed in accordance with the data subject's rights Principle 7: secure Principle 8: not transferred to countries outside the EEA without adequate protection What do I need to know? This policy is intended to provide an overall framework for apetito to demonstrate its compliance with data protection law. It contains explanations of apetito's legal requirements under the DPA and the operational procedures in place at apetito, including: Roles and Responsibilities The Legal Context Notification with the Information Commissioner s Office Data Storage Access to Data Data Security Data Destruction Handling Breaches of Data Protection Maintaining Compliance All staff (permanent or temporary) should make sure they are familiar with the content of this policy and comply at all times with the procedures set out in this policy when handling Personal Data. Also included within this policy are Data Protection and Privacy Statements for employees and applicants, in which apetito states to its employees and job applicants the purposes for which
3 Personal Data collected about them will be used and the circumstances in which such data will be disclosed. Who does this policy apply to? This policy applies to all users of Personal Data, that is: All entities of apetito Limited (including related companies if appropriate, including all sites at which the apetito operates now or at any time in the future; All managers, i.e. line and business managers, as well as those in the HR department who use Personal Data; and All employees (whether permanent, temporary or contractors) who use Personal Data. Under the terms of their contract with apetito all employees, temporary workers and others who have authorised access to Personal Data are responsible for handling Personal Data and maintaining confidentiality appropriately at all times. This policy does not form part of any employee's contract of employment and it may be amended at any time. Failure by any of these parties to adhere to this policy may result in civil or criminal legal action being taken against apetito, or against individual managers or employees by data protection authorities, or by the individuals to whom the Personal Data relates. It is the responsibility of apetito to ensure that its staff are aware of and comply with this policy. Any breach of this policy will be taken very seriously and employees who act outside the requirements or guidance set out in this policy will be asked to explain the reasons for their actions and may face disciplinary action. Wilful and negligent non-adherence to this policy by any employee is a serious disciplinary matter which could result in dismissal. Responsibilities of apetito To enable it to meet its obligations under data protection law, apetito will provide the following: Training for apetito managers (and relevant employees) on data protection issues and apetito procedures; Information for employees on data protection issues and apetito procedures as part of induction and on-going employment; Appropriate procedures to safeguard Personal Data and to ensure compliance with the eight data protection principles; and An escalation process whereby any potential issues should be raised with the Financial Director or, in their absence the HR Director. Any questions or concerns about the operation of this policy and/or the handling of Personal Data should be referred in the first instance to the Financial Director or in their absence the HR Director. The Legal Context What is Personal Data?
4 Personal Data - is any information: from which a living individual can be identified or which, together with other information that apetito possesses (or is likely to possess) an individual can be identified; and is processed, or intended to be processed by electronic or manual means, as part of a relevant filing system. Processing - is any activity that involves use of the Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Data to third parties. For apetito this applies to: Personal Data and employment records relating to current, past and prospective employees and Personal Data of customers placing an order for an apetito product. Sensitive Personal Data - is a special category of Personal Data consisting of information about a living individual as to: racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, physical or mental health or condition, sexual life, the commission or alleged commission of an offence, or any proceedings for any offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of any court in such proceedings apetito collects some items of Sensitive Personal Data. For example: a specific dietary or medical requirement of a customer in relation to the processing of their order of an apetito product; or an employment law requirement in relation to apetito staff (such as equal opportunities monitoring purposes, or for health and safety reasons). The collection and processing of Sensitive Personal Data is strictly regulated, generally requiring the explicit informed consent of the data subject to collect and process it (unless the collection is a legally imposed obligation) and imposing severe restrictions on access. It is apetito's policy to collect Sensitive Personal Data only when absolutely necessary. Sensitive Personal Data must be made available to users only on a strict "need to know" basis and managed with the highest practical level of security and confidentiality. Sensitive Personal Data should only be gathered from individuals if it is essential, in which case any necessary consent should be obtained. Fair and lawful processing The DPA is intended to ensure that Personal Data is processed fairly and without adversely affecting the rights of the data subject. The data subject must be told who the Data Controller is, the purpose for which the data is to be processed and the identities of anyone to whom the data may be disclosed or transferred.
5 For Personal Data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the Data Controller or the party to whom the data is disclosed. When Sensitive Personal Data is being processed, more than one condition must be met. In most cases the data subject's explicit consent to the processing of such data will be required. Processing for specified lawful purposes Personal Data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the DPA. This means that Personal Data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before any processing occurs. Notification with the Information Commissioner s Office apetito is required to notify the Information Commissioner s Office ("ICO") that it handles Personal Data. Notification is the process by which a "Data Controller" (i.e. the organisation that determines the purposes of the processing of Personal Data) gives the ICO details about its processing of personal information. This notification includes: the types of information collated, the purpose for which it is used, and to whom information may be disclosed. Notification is a statutory requirement and failure to notify with the ICO is a criminal offence. The full procedure for notification can be found at: The main requirements set out by the ICO are as follows: one notification is required for each legal entity that is a Data Controller apetito must renew its notification(s) annually apetito must also notify the ICO when any part of its entry changes, or becomes inaccurate or incomplete within 28 days of such a change taking place. The ICO keeps a register of all Data Controllers, which is available to the public for inspection. This contains: name and address of Data Controller, general description of the processing of personal information. apetito's Data Controller has responsibility for maintaining its notification as a Data Controller with the ICO. Data Storage Personal Data should only be collected to the extent that it is required for the specific purpose notified to the data subject and must be accurate and kept up to date at all times. All employees, temporary workers and others at apetito handling Personal Data must follow the general data storage rules set out in this section. Paper records
6 Paper records containing Personal Data must always be stored securely unless in use and should not be left on desks or other areas accessible by third parties. Cabinets containing files must be kept locked and offices in which cabinets are located should also be locked when not in use. Documents containing Personal Data whose loss could be detrimental to apetito or its employees, or customers should be marked: ["Confidential For Internal Use only" and should be circulated to relevant individuals internally in a sealed envelope marked: "To be opened by Addressee only". Electronic records Electronic records containing Personal Data: o must either be encrypted or must be kept on devices which have their hard drives encrypted; o must be kept in separate folders to electronic files not containing Personal Data; o must only be transferred from desktop computers to portable devices if absolutely necessary. Records may only be put onto portable devices or media such as CDs, USB memory sticks or laptops if the device itself and/or the records are encrypted. Desktop computers and laptops on which electronic records are stored or accessed must be running an up-to-date operating system and up-to-date firewall and anti-virus software. If the premises where paper records and computer equipment and devices containing electronic records are kept are alarmed then the alarm must always be set. apetito has a separate policy on CCTV available via the apetito intranet Access to Data Processing in line with data subject's rights Data must be processed in line with the data subjects' rights. Data subjects have a right to: request access to any data held about them by a Data Controller; prevent the processing of their data for direct-marketing purposes; ask to have inaccurate data amended; and prevent processing that is likely to cause damage or distress to themselves or anyone else. Requests by Individuals relating to their own Personal Information Under the DPA, individuals have the right to request Personal Data (in any format) held about them by apetito. This is known as a Subject Access Request. It is important to note that this right only: relates to the requesting individual's Personal Data (and not to information relating to other people); and
7 allows access to information contained within documents (rather than documents themselves). There are some exemptions under the DPA in giving access to certain information contained within files. The main reasons for refusals relate to: protecting the health and safety of anyone concerned; protecting the privacy of a third party who may be identified if information is shared. To exercise their right of access, individual data subjects must make their request in writing and give appropriate notice to apetito 1. 1 NB: if the request is made by a disabled person, apetito may need to make reasonable adjustments to this expectation, as required under the Disability Discrimination Act 1995, for example by accepting a verbal request for information. Organisations must comply with Subject Access Requests within 40 days and may charge a fee of up to 10 for doing this. There is no limit under the DPA to the number of requests an individual may make for access to Personal Data held about them. However, organisations are not obliged to respond to similar or identical requests for information which have already been dealt with and without a reasonable lapse of time. The law does not define what constitutes reasonableness, but expects that organisations consider how often information is updated and how much new information is likely to have been recorded between requests. Procedure for dealing with Subject Access Requests Any member of staff who receives a written request for access to Personal Data should forward it immediately to the Head of HR. All Subject Access Requests shall be dealt with in accordance with apetito's Handling Subject Access Requests Procedure" which is available from the Head of HR or via the apetito intranet. Providing information over the telephone Any member of staff dealing with telephone enquiries should be careful about disclosing any Personal Data held by apetito. In particular they should: check the caller's identity to make sure that information is only given to a person who is entitled to it; ask that the caller put their request in writing if they are not sure about the caller's identity and where their identity cannot be checked; refer to their line manager or the Data Protection Officer for assistance in difficult or unusual situations. No-one should be bullied into disclosing personal information; and keep a record of all disclosures. Data Security
8 Employees and other individuals who handle Personal Data at apetito are responsible for ensuring they only handle Personal Data in line with the requirements of the Data Protection Act 1998 and this policy. As a general principle, this includes: not sharing information with third parties without the consent of the individual concerned; and not enabling third parties to access Personal Data through insufficient attentiveness to its storage or management. apetito must ensure that appropriate security measures are taken against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data. Data subjects may apply to the courts for compensation if they have suffered damage from such a loss. The DPA requires apetito to put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Maintaining data security means guaranteeing the confidentiality, integrity and availability of the Personal Data, as follows: Confidentiality: only people who are authorised to use the data can access it. Integrity: Personal Data should be accurate and suitable for the purpose for which it is processed. Availability: authorised users should be able to access the data if they need it for authorised purposes. Personal Data should therefore be stored on apetito's central computer system instead of individual PCs. Any keys, passwords, user details, key cards or other security measures used to access data subjects details are personal to the Head of HR and must not be shared with anyone. Practical Security Measures apetito employs several security procedures and technologies to maintain the security of Personal Data. Employees and others at apetito with authorised access to Personal Data must follow these procedures at all times. These include: Entry controls: reporting any stranger seen in entry-controlled areas. Secure lockable desks and cupboards: keeping desks and cupboards locked if they hold Personal Data of any kind. (Please see: "Data Storage" section for further information about the storage of Personal Data.) Secure methods of disposal: shredding paper documents containing Personal Data. Media containing electronic documents should be physically destroyed when they are no longer required. (Please see: "Data Destruction" section for further information about the procedures for destruction of Personal Data.) Equipment: ensuring that individual monitors do not show any form of Personal Data or confidential information to passers-by and that individuals log off from or lock their PC when it is left unattended.
9 Passwords / Restriction by User: using passwords (which are regularly updated) and user access to restrict access to documents containing Personal Data. On-Site Working: at all times where possible, keeping all files and documents containing Personal Data on-site, or where a specific business need requires off-site working, encrypted memory sticks and password protected access should always be used. Strict policies on Subject Access Requests: avoiding accidental disclosure in person, by phone, or other methods (e.g. when conversations are overhead by others present or by failing to adequately verify the identity of the person making a request for information). (Please see: "Access to Data" section for more detail.) Security Software: ensuring that software and internet security are regularly updated. This list is for guidance and is not exhaustive. Further advice should be sought from the apetito Data Protection Officer where necessary. A risk assessment is also carried out annually as specific security requirements may change over time. (Please see the section: "Maintaining Compliance".) Disclosure of Personal Data to Third Party Data Processors It may be necessary to disclose Personal Data where this is: to enable apetito to perform its obligations under the contract of employment with the individual; or necessary for the conduct of apetito's business; or required by law. If apetito discloses Personal Data to outsourcing companies or third party data processors, whether external organisations or other companies owned by or related to apetito, (for example for payroll processing, telephone marketing, pensions administration, archiving or computer support), additional security measures must be taken, to ensure such third parties handle the Personal Data appropriately. In such circumstances apetito should ensure the following: Due Diligence - satisfy itself that the third party Data Processor is reliable, that it will keep data confidential, and that it has adequate technical and organisational security measures in place (e.g. this might be by requiring a minimum set of due diligence questions / requirements to be addressed, prior to entering into a contract); Contracts with Third Party - ensure a contract is in place binding the data processor to the same obligations that apply to apetito, and under which the data processor agrees to act only in accordance with instructions from apetito, and to take appropriate technical and organisational security measures when processing Personal Data; and Consider what is necessary - at all times ensure that no more Personal Data than necessary is provided by apetito to the third party data processor for the performance of the contract.
10 Unauthorised disclosure of Personal Data may result in disciplinary proceedings, could be grounds for dismissal and it could also lead to criminal proceedings being taken against anyone who has done so. If an employee of apetito has any doubt on whether Personal Data may be disclosed or transferred, they should seek the advice of the Financial Director or Head of HR before any transfer is made. Data Destruction apetito s approach to data destruction is that files and information relating to customers, and employees will only be destroyed upon specific request from the customer or employee. apetito will use its best efforts to make it clear to customers and employees that should they wish data about them to be destroyed then this will be done in an expeditious manner and securely. apetito will keep a record of all employee Personal Data destroyed. Paper records - paper records containing information about data subjects will be placed in confidential waste bins. Paper records should never be placed in normal waste bins, whether shredded or not Electronic records o media which contains electronic records but which is damaged or will not be used again (e.g. CDs) should be physically destroyed o electronic records and data files held on computers, laptops, USB sticks or other portable devices should be destroyed Handling Breaches of Data Protection A security breach may take place for several reasons, including one or more of the following: Loss or theft of Personal Data Inappropriate access/unauthorised use of Personal Data Equipment failure Human error Unforeseen circumstances, such as fire or flood Hacking or obtaining of information by deception. It is the responsibility of staff to report to their line manager any actual, potential or suspected breach of data protection law as soon as possible. Managers should then report this to the Financial Director and Head of HR In considering its response to a potential or actual breach of its data protection obligations, apetito's managerial team should then consider taking the following steps, in the order listed below:
11 1. Containment and Recovery of Data This may include: Initial investigation Establishing a data recovery plan Specialist input from IT and legal advisers. The following issues should be considered: Who needs to lead the investigation Who should be informed of the breach and any actions that should be taken to contain it (e.g. changing door codes / passwords) What can be done to recover lost data Consider whether the Police (other regulatory authorities) need to be informed. 2. Risk Assessment Consider the seriousness of the risk to individuals arising out of the breach. The following should be taken into account: Type of data involved (i.e. is does it involve Sensitive Personal Data) How many people are affected Who has been affected (e.g. staff, customers) Level of sensitivity Risk of harm, damage or distress to the affected data subjects Who now has access to the Personal Data The need to inform third parties Any wider risks (e.g. public health, reputational issues) The level of assessed risk should also inform the timescale for response and whether to notify the affected individuals and / or the ICO that a breach of Personal Data has taken place.
12 3. Notification 2 Consider whether notification of the breach is relevant. (NB: This is different to the annual requirement to notify with the ICO referred to earlier in this policy which is a legal requirement.) The following should be taken into account: Any legal and contractual requirements to notify Consider if notifying the individuals who have been affected by the breach will enable them to take steps to protect themselves If notifying affected individuals is appropriate consider the best means of notification Is the breach sufficiently serious to be notified to the ICO 4. Evaluation Establish if the breach is due to a one-off or systemic problem and take appropriate steps to remedy the situation and to prevent it happening again. This is likely to require completion of a new risk assessment and amendments to existing procedure and policy. Further guidance on this issue should be sought if necessary, for example from the ICO website, or from apetito's legal advisors. 2 In serious cases, breaches should be notified to the ICO. In making an assessment as to whether to notify the ICO, apetito managers should take into account the potential level of harm to individuals, either through the volume of data breached or its sensitivity
13 Maintaining Compliance Annual review and Risk Assessment This data protection policy is subject to an annual review, unless legal changes or other circumstances mean that an interim review is also appropriate. The next review date is set for [March 2014]. Risk Assessments and Policy Review apetito will carry out an annual risk assessment of data protection issues as part of each annual review and will put in place and / or update procedures to mitigate the impact of any identified risks. Responsibility for reviewing and updating this policy will rest with the Financial Director and HR Director Appendix 1 DATA PROTECTION AND PRIVACY STATEMENT EMPLOYEES
14 apetito Limited ("the Company) respects the privacy of the personal information you provide as an employees of the Company. This Statement explains how your information will be used and protected. It applies to information held about you now, or at any future date. Information that may be held about you includes, but it not limited to: your CV; application form; references; appraisal and disciplinary records; salary and pension details; details of other benefits; results of medical, security and financial checks; sickness records; personal contact details; bank account and tax details; and any other information relevant to the following purposes. This information may be held manually or electronically (e.g. databases; processing, communication, payment and other systems). It will be available, as required, at any location in which the Company operates. The Company may use your personal information for the following purposes: to appraise your job performance and make decisions concerning your recruitment, promotion, training, transfer, redeployment or career development; to determine, calculate and review your salary, bonuses and any other staff benefits including pension entitlements; to process payment of your salary, other authorised expenses or benefits to your account or by any other means; to take appropriate action in connection with illness, injury or death while you work; to comply with any statutory requests received from relevant public authorities/agencies; for any purpose required by law or regulation; for disciplinary purposes arising from your conduct or your ability to perform your job requirements; with other employee data, to enable the Company to make decisions and/or policies concerning its employees generally; with other employee data, to assist in the Company's business and financial monitoring, planning and decision making; to enable external and internal auditors to conduct regular reviews of people management within the Company; to support any business, administrative or security function required by the Company's operations, including, but not limited to: communication and processing systems; accident/sickness insurance; security of staff, systems and premises (CCTV; card entry systems; IT security systems); telephone recording; contingency planning; systems development and testing; monitoring internet and telephone usage; to support the Company's marketing and business development activities and to contact relevant people in the event of emergencies.
15 The Company may disclose your details to verify or obtain additional information about you from third parties including education institutions, present and past employers. For the purposes stated above, where relevant your personal information will be disclosed to managers and authorised staff within the Company including the HR department, your line manager and their delegates. Other than those listed below, your details will not be revealed to any external body, unless the Company has your consent or is under a legal obligation or entitlement or other duty to do so. When your details are disclosed to an external body, no more details will be given bout you than are necessary. The external bodies to which we may disclose your personal information are: any agent, contractor or third party service supplier providing administrative, payroll, telecommunications, computer, general insurance, accident and medical insurance, pension, legal or other services to the Company in connection with its business operations; any other person under a duty of confidentiality to the Company including, but not limited to, our external auditors; any business contact of the Company where it is necessary for the operation of the Company's business that such persons are given the contact or other details of an employee of the Company; any lawyer or firm of solicitors in connection with legal proceedings, to obtain legal advice, or whenever necessary to support the Company's legal rights; in the case of the merger or acquisition of all or any part of the Company's business, any actual or proposed purchaser, merger partner or their legal and financial representatives. Unless special circumstances your personal information will be retained following your departure from the Company, or as otherwise determined by applicable law. In the event that you wish data relating to you to be destroyed following your departure from apetito please contact the HR director. Please bear in mind that not all data can be destroyed as some of it must be preserved under statutory requirements.
16 Appendix 2 DATA PROTECTION AND PRIVACY STATEMENT JOB APPLICATIONS apetito Limited ("the Company") respects the privacy of the personal information provided by you, or by any other person, in connection with your application for employment. This Statement explains how your information will be used and protected. Your personal information will be used to determine your suitability for a position within the Company and, if applicable, your terms of employment or engagement. Your details may also be included in management information, which the Company uses to monitor its recruitment initiatives and equal opportunities policies. The Company recognises that some information held in the equal opportunities policy will be sensitive personal data and will not be disclosed without your explicit consent. Your details may be held manually or electronically (such as on the Company's databases available to authorised users). The Company may disclose your details to verify or obtain additional information about you from third parties including education institutions, present and past employers and, if applicable, credit reference agencies. (Credit reference agencies keep details of searches. You can contact us to find out which agencies have been used, if any.) For the purposes stated above, your details will be disclosed to managers and authorised staff within the Company. Other than those listed below, your details will not be disclosed to any external body unless you have consented or the Company is under a legal obligation or entitlement or other duty to do so: Agents, contractors or third party service suppliers providing services to support the Company's business operations; Persons under a duty of confidentiality to the Company including auditors and lawyers; Any lawyer or firm of solicitors in connection with legal proceedings, to obtain legal advice or whenever necessary to support the Company's legal rights;
17 Any person to whom we may transfer our rights and obligations under any agreement we may have with you. If your application is unsuccessful, your details will be retained by the Company as part of its poll of potential candidates. Should you not wish apetito to retain your details please let us know. Where can I get further advice? Further advice is available from the HR team or your HR representative. This policy is intended to be used for guidance only and does not rise to any contractual entitlement on the part of the employees. apetito reserves the right to review and amend, or withdraw this policy at any time.
Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council
John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and
The Manchester College The Manchester College Produced by TMC Prin DataProtect pol v1 11/2010 All rights reserved; no part of this publication may be photocopied, recorded or otherwise reproduced, stored
Data Protection Procedure [QP2.28] Procedure Number: QP2.28 Revision Number: 3 Date of issue: January 2006 Status: Approved Date of approval: May 2006 Responsibility for procedure: Director of Information
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful
East Northamptonshire Council Policy & Community Development Data Protection Policy December 2007 If you would like to receive this publication in an alternative format (large print, tape format or other
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
Data protection Quick guide to the employment practices code Ideal for the small business Contents 3 Contents Section 1 About this guidance 4 Section 2 What is the Data Protection Act? 5 Section 3 Recruitment
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the
Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational
LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY Introduction 1. Looe Community Academy Trust (the Academy) is required to maintain certain personal data about living individuals for the purposes of
Data Protection Policy Introduction This policy sets out the framework for a consistent SDS wide approach to handling information relating to identifiable individuals (Personal Data). Skills Development
PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner
Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection
Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014 Contents 1 Purpose... 2 2 Policy...
Data Protection Policy Introduction. Team Bees is required to maintain certain personal data about living individuals for the purposes of satisfying operational and legal obligations. Team Bees recognises
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
1. Introduction 1.1 The College needs to keep certain information about its employees, students and other stakeholders, for example to allow it to monitor performance, achievements and health and safety.
Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...
Rick Parsons Information Governance Officer County Hall 01865 323593 firstname.lastname@example.org 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The
Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data
Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,
Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal
Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:
Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015
Data Protection Policy 2011 Contents Page 1. Introduction... 3 2. Statement of Policy. 3 3. The Eight Principles of Data Protection...... 4 4. Scope.... 5 5. Roles and Responsibilities. 5 6. Development
GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1 Contents 1. Openwork s Information Security Policy...3 2. Enterprise Information Security Procedures...3
Data protection policy Introduction The College is required to keep certain information about employees, students and other users to allow it to monitor performance, achievements, health and safety, recruitment
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction
BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information
WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...
University of Chichester Summary Electronic Information Security Policy 2015 Summary Electronic Information Security Policy Date of Issue 24 December 2015 Policy Owner Head of ICT, Strategy and Architecture
Data Protection Policy January 2016 Next Review Due: January 2017 Co-ordinator: Miss M Rudge/Mrs J McColl 1 ACADEMY DATA PROTECTION POLICY POLICY DATE: JANUARY 2016 REVIEW DATE: JANUARY 2017 Introduction
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
DATA PROTECTION POLICY Rev No. 0 New Document 1 2 3 4 5 6 7 Revision Status Details of Amendments Name Date Update of College DPA statement New Reference to Appendix 4 Staff Guidelines ESF document retention
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?
A Thorogood Special Briefing Chapter 1 Introduction and guidance for employers Introduction Subject access request Compliance Changing law The Employment Practices Code Personal data Making access requests
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
This guidance recognises that schools already deal with a great variety and number of requests for information and provides a straightforward approach to compliance with the following legislation: Education
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;
PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY CORPORATE POLICY Document Control Title Paper Records Secure Handling and Transit Policy Author Information Governance Manager ** Owner SIRO/CIARG Subject
Data Security and Extranet Derek Crabtree Schools ICT Support Manager email@example.com Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance
THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control
Data Breach Management Policy and Procedures for Education and Training Boards POLICY on DATA BREACHES in SCHOOLS/COLLEGES and OTHER EDUCATION and ADMINISTRATIVE CENTRES UNDER the REMIT of TIPPERARY EDUCATION