Information Governance Framework. June 2015

Size: px
Start display at page:

Download "Information Governance Framework. June 2015"

Transcription

1 Information Governance Framework June 2015

2 Information Security Framework Janice McNay June Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review Date June 2018 Officer Responsible for Review Janice McNay

3 Information Security Framework Janice McNay June POLICY STATEMENT 1.1 Thirteen Group and its partner companies need to collect, use and hold information about people in order to operate effectively and efficiently and ensure that services appropriate to the needs of employees and customers are provided. 1.2 This information may be personal and/or sensitive, and may be collected, recorded and stored both manually on paper and/or electronically. It is vital that any information, however it is collected or stored, is dealt with lawfully and correctly and there are safeguards in place in the Data Protection Act 1998 to ensure this. 1.3 This framework aims to detail the organisational and legislative requirements with regards to the following: Data protection; ICT security; Confidentiality; Access to information; and Document management. 1.4 The need to adhere to this framework and associated policies is included in both the terms and conditions of staff employment and the Code of Conduct applicable to all staff and Board Directors. Any breaches will be investigated and where a serious breach has occurred disciplinary action may be taken. 2 REFERENCE MATERIAL 2.1 The following information has been used when developing this framework: Data Protection Act 1998 Data Protection Principles Guidance from the Information Commissioner s Office (ICO) website Data Protection Good Practice Guidance 3 DEFINITIONS 3.1 A full list of definitions is attached at appendix A. 4 POLICY CONTENTS 4.1 Data Protection The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. The framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details. The legislation itself is complex, but is underpinned by a set of eight straightforward, common-sense principles: Principle 1: Principle 2: Personal information must be fairly and lawfully processed Personal information must be processed for limited purposes

4 Information Security Framework Janice McNay June Principle 3: Principle 4: Principle 5: Principle 6: Principle 7: Principle 8: Personal information must be adequate, relevant and not excessive Personal information must be accurate and up to date Personal information must not be kept for longer than is necessary Personal information must be processed in line with the data subjects rights Personal information must be secure Personal information must not be transferred to other countries without adequate protection These principles must be followed by anyone processing personal data. More detailed information regarding the principles is attached at appendix B Use of Employee Protection Register / Concerns Markers Thirteen Group has a duty under the Health and Safety Act 1974 to provide a safe working environment for its employees. As many employees come into direct face-toface contact with customers and clients as part of their work, in situations which are sometimes volatile or that may present other risks to the safety of staff. Thirteen Group therefore recognises the necessity of using an Employee Protection Register / Concerns. However, it may be that sensitive personal data is included in the Employee Protection Register / Concerns Marker and therefore usage of the Employee Protection Register / Concerns Marker must comply with the Data Protection Act Data Sharing Agreements Employees and Board Directors working for and on behalf of Thirteen Group must understand the importance of good practice when dealing with personal and sensitive personal data held in customer records, and appreciate the rules by which individuals data may be accessed and processed. Thirteen Group expects that data held by the organisation or any companies acting on behalf of the Group will be treated as confidential at all times, and will be processed in accordance with the Data Protection Act 1998 and Thirteen Group s other policies and procedures. Data will not be made available to third parties for commercial or marketing purposes. Organisations using any type of data held by Thirteen Group will have to sign up to a data sharing agreement and be bound by the requirements of that agreement Data Security Breaches A data security breach can happen for a number of reasons, for example: loss or theft of information on which data is stored; unauthorised access; equipment failure; human error; and fire or flood. If a potential breach is identified action will be taken to ensure the matter is contained and if possible the information recovered; an assessment of ongoing risk is made; there is notification of the breach to the affected parties as required; and there is evaluation of the effects of the breach and the response. Action may include disciplinary investigations if employees are involved.

5 Information Security Framework Janice McNay June ICT Security Employees and Board Directors must use Thirteen Group s information technology and communications facilities sensibly, professionally, lawfully, and consistently, with respect for colleagues and for customers and in accordance with this framework and Thirteen Group s other policies and procedures Use of Electronic Thirteen Group s facilities are provided for business purposes. facilities provided by Thirteen Group should not be abused, and only authorised users of the Group s computer systems are entitled to use facilities. The use of the Group s facilities assumes and implies compliance with this framework. Thirteen Group s other policies and procedures; and the Data Protection Act Every user has a duty to ensure that they practice appropriate and proper use and must understand their responsibilities in this regard. Complaints received from both internal and external sources, regarding any unacceptable use of which involves Thirteen Group s facilities Use of Internet / Intranet Thirteen Group provides access to the information, resources and facilities of the Internet to help employees and Board Directors do their jobs more efficiently and effectively. Thirteen Group has implemented security measures to block inappropriate content and entrusts employees and Board Directors to use the Internet and Intranet in a professional way which avoids any question of inappropriate use. Consider that when visiting websites, information identifying the PC may be logged. Therefore any activity may be associated with the Thirteen Group Misuse of Facilities Misuse of Thirteen Group s facilities and systems, including its telephone, and internet systems, will be treated seriously and dealt with in accordance with Thirteen Group s disciplinary procedures. The Group reserves the right to undertake a detailed investigation in accordance with Thirteen Group s disciplinary procedures and information and data on electronic or paper records may be used as evidence. Where this is the case information to identify individuals will be redacted where required System Security Security of Thirteen Group s ICT system is of paramount importance. We owe a duty to all of our customers to ensure that all of our business transactions are kept confidential. If at any time we need to rely in court on any information which has been stored or processed using Thirteen Group s IT systems, it is essential that we are able to demonstrate the integrity of those systems Remote Working This applies to an employees and Board Directors use of Thirteen Group s devices, e.g. laptops, tablets, and mobile phones; and also to employees and Board Members

6 Information Security Framework Janice McNay June use of their own computer equipment or other computer equipment. Essential remote working practices will be outlined within Mobile Working Procedures Personal blogs / websites Thirteen Group expects employees and Board Directors to conduct themselves appropriately and in a manner which is consistent with a contract of employment and with Thirteen Group s policies and procedures. This includes when creating, updating, modifying or contributing to blogs, message boards and other content sharing sites outside of working hours including when using personal IT or the Group IT system during non working hours Social Media Thirteen Group currently uses social media to communicate effectively with customers and stakeholders. Employees and Board Directors must be aware at all times that, when contributing to social media activities involving comments/views about the Group they are acting as a representative of the organisation. This framework provides for effective use of social media whilst protecting the organisation's business information and any client or customer information within its custody, or safekeeping by safeguarding its confidentiality, integrity and availability. The personal use of social media is not allowed during work time, Users of social media should also be aware that if any activity is found to call the Groups integrity into questions appropriate investigations and action will be taken Monitoring Communications Thirteen Group is ultimately responsible for all business communications but will, so far as possible and appropriate, respect an employee or Board Director s privacy and autonomy whilst working. Thirteen Group may monitor your business communications for reasons which include: providing evidence of business transactions; ensuring that the Group s business procedures, policies and contracts are adhered to; complying with any legal obligations; monitoring standards of service, staff performance and for staff training; preventing or detecting unauthorised use of Thirteen Group s communications systems or criminal activities; and maintaining the effective operation of Thirteen Group s communications systems Use of Cloud Storage Systems Use of cloud computing services by employees and Board Directors for work purposes must be formally authorised by Thirteen Group s IT Manager. Thirteen Group s IT Manager will certify that Thirteen Group s security, privacy and all other IT management requirements will be adequately addressed by the cloud computing vendor. This is necessary to protect the integrity and confidentiality of Thirteen Group s data and the security of the corporate network Printing Thirteen Group strives to provide quality and cost effective print, copy, and scan services to meet the needs of employees and Board Directors whilst taking into consideration the impact of printing on the organizational sustainability goals.

7 Information Security Framework Janice McNay June Encryption Encryption provides an enhanced level of assurance that data being used cannot be viewed or otherwise discovered by unauthorised parties in the event of theft, loss or interception. Employees and Board Directors are required to employ Thirteen Group approved encryption techniques to preserve the confidentiality and integrity of, and control accessibility to, Group data which is classified as private and confidential where this data is processed, stored or transmitted. 4.3 Confidentiality The Group is aware of its responsibilities when using or handling confidential information. There is a requirement that employees and Board Directors shall not misuse any information or allow others to do so. Confidential information must be used, processed, and handled in accordance with this framework; Thirteen Group s other policies and procedures; and the Data Protection Act Sharing Confidential Information between Employees and Board Directors Within Thirteen Group, confidential information should only be available to employees and Board Directors who genuinely need to know confidential information to carry out their work effectively. Only facts from confidential information should be shared with the necessary and appropriate employees and Board Directors. Where confidential information is shared to an entire team, care should be taken to ensure that there is a legitimate need for the entire team to have access Confidential Correspondence Employees and Board Directors will have access to confidential correspondence and, when handling, should exercise care and caution when handling correspondence received into Thirteen Group, i.e. envelopes, marked confidential or personal should be handled in accordance with administration procedures, policies, and the Data Protection Act Multi-Agency Partnerships Thirteen Group recognises the necessity of working with other agencies so that we are able to meet the needs of customers, clients or prospective customers and clients so that employees and Board Directors can carry out their work effectively. The Group will aim to maintain a balance between the need for confidentiality and the sharing of information necessary to make an effective response to other agencies requesting information. Employees and Board Directors should only share information with other agencies on a need-to-know basis, though the overarching principle should be to obtain consent Anonymous Information

8 Information Security Framework Janice McNay June Where employees or Board Directors of the Group are given information from anonymous sources the information will be passed to the relevant team for reference, or where appropriate, to take action to investigate any allegations that may be included within the information. All employees and Board Directors required to ensure that personal information gained from an anonymous source remains confidential Disclosure of Confidential Information Where requests are made for the disclosure of personal information employees and Board Directors must consider whether the consent of the individual concerned should be sought. The Group s overarching principle is that an individual s consent should be sought before disclosing personal information to other individuals or organisations, and confidential information should only be shared in exceptional circumstances. However, the Data Protection Act 1998 reinforces the Crime and Disorder Act 1998 in that it allows for the disclosure of personal information, where the disclosure is for the purposes of the prevention and detection of crime, or the apprehension or prosecution of offenders; and where failure to disclose would prejudice those objectives Breaches of Confidentiality All Thirteen Group employees and Board Directors have a duty of care to ensure that personal information remains confidential. Discussing customers, clients, former customers or clients, rehousing applicants or other employees in public places or in an unprofessional context is unacceptable. Customers, clients, contractors, employees, and Board Directors are all expected to respect the rights of others to confidentiality. Although the Group recognises that most breaches of confidentiality occur not out of malice but through thoughtlessness and lack of awareness of the consequences of an action any breach of confidentiality will be considered a serious issue and this could be regarded as gross misconduct where following investigation evidence shows that this has occurred. 4.4 Access to Information Thirteen Group believes that people have a right to see what information is kept about them, and fully endorses the principles of data protection, as specified in the Data Protection Act 1998 and other related legislation. Requests for information will be processed within the requirements of the Act and the access to information procedure followed when requests are received Freedom of Information The Freedom of Information Act 2000 gives any individual, regardless of age, nationality, or residence the right to access recorded information held by public sector organisations, as a registered charity, Thirteen Group is not obliged to meet with the requirements of this act however, as a commitment to being open and transparent the Group will consider reasonable requests for information.

9 Information Security Framework Janice McNay June Data Subject Access Request In accordance with the Data Protection Act 1998, applicants / customers/clients/ former customers/clients have a right to know what information Thirteen Group holds about them; what we use the information for; and to whom we have disclosed that information or to whom we may disclose that information to. Applicants can therefore make a request for this information by following the Data Subject Access Request Procedure Accuracy of Personal Data Applicants / customers/clients /former customers/clients have a right to request that information held by the Group, which they believe is inaccurate to be corrected or removed. If the information is not amended for a justifiable reason, the Group will provide an explanation as to why this has been decided. If the individual then disagrees with the decision this will be should recorded Employee Requests for Information In accordance with the Data Protection Act 1998, job applicants; employees; and former employees have a right to know what information the Group holds about them; what we use the information for; and to whom we have disclosed that information to or whom we may disclose that information to. This applies to information held in Thirteen Group s computer records and manual files. This information can be requested by using the Data Subject Access procedure Third Party Requests for Information Occasions may occur where third parties contact the Group to request information relating to a customer/client/applicant or former customer/client. Where this is the case third party consent to share this information must be received, or an informed decision be made to allow the information to be released without consent. This includes requests from relatives, other agencies, local authority councillors, MPs and Board Directors. 4.5 Document Management Thirteen Group will manage all documents and records created or received, using a reliable and well-designed system which describes the standards of practice the Group requires to manage and dispose of records Electronic Document and Records Management Thirteen Group endorses the use of electronic document and records management and expects employees and Board Directors to manage documents and records electronically wherever and whenever possible.

10 Information Security Framework Janice McNay June Document Retention A records retention schedule document is in place which sets out the classes of records the Group retains and the length of time these records need to be retained before final disposal action is taken (i.e. destruction or transfer to our archiving facility). The document retention schedule applies to information regardless of its format or the media in which it is created or might be held Disposal of Documents and Records All confidential documents and records will be disposed with in an appropriate way to ensure the security of that data. Equality and Diversity Customer Involvement and Consultation Monitoring and Review Responsibility

11 Information Security Framework Janice McNay June For use by the Governance team Date agreed at Erimus Board Date agreed at Housing Hartlepool Board Date agreed at Tees Valley Board Date agreed at Thirteen Care and Support Board Date agreed at Tristar Homes Board Date agreed at Thirteen Group Board Date added to Index Date added to Internet Date added to Intranet Linked to Policy or Procedure Number Linked to Strategy Number

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will:

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will: Data Protection Policy Introduction. Team Bees is required to maintain certain personal data about living individuals for the purposes of satisfying operational and legal obligations. Team Bees recognises

More information

Council Policy. Records & Information Management

Council Policy. Records & Information Management Council Policy Records & Information Management COUNCIL POLICY RECORDS AND INFORMATION MANAGEMENT Policy Number: GOV-13 Responsible Department(s): Information Systems Relevant Delegations: None Other Relevant

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY Introduction 1. Looe Community Academy Trust (the Academy) is required to maintain certain personal data about living individuals for the purposes of

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: 1.0 Date: October 2013 Table of Contents 1 Introduction The need for a Data Protection Policy... 3 2 Scope... 3 3 Principles... 3 4 Staff Roles & Responsibilities... 4 5

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

Data Protection Policy

Data Protection Policy Data Protection Policy January 2016 Next Review Due: January 2017 Co-ordinator: Miss M Rudge/Mrs J McColl 1 ACADEMY DATA PROTECTION POLICY POLICY DATE: JANUARY 2016 REVIEW DATE: JANUARY 2017 Introduction

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

The Manitoba Child Care Association PRIVACY POLICY

The Manitoba Child Care Association PRIVACY POLICY The Manitoba Child Care Association PRIVACY POLICY BACKGROUND The Manitoba Child Care Association is committed to comply with the legal obligations imposed by the federal government's Personal Information

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Historic Environment Scotland

Historic Environment Scotland Historic Environment Scotland Data Protection Policy September 2015 Document Control Title Data Protection Policy Author Head of Records Management Approved by HES Board Date of Approval 16/11/2015 Version

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

Privacy Policy Draft

Privacy Policy Draft Introduction Privacy Policy Draft Please note this is a draft policy pending final approval Alzheimer s Australia values your privacy and takes reasonable steps to protect your personal information (that

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Information Governance

Information Governance CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this

More information

St Margaret s CE Primary school, Withern Data Protection Policy

St Margaret s CE Primary school, Withern Data Protection Policy St Margaret s CE Primary school, Withern Data Protection Policy Reference Points Data Protection Act 1998 See https://www.gov.uk/data-protection/the-data-protection-act Information Commissioners' Office

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary

More information

The best advice before you decide on what action to take is to seek the advice of one of the specialist Whistleblowing teams.

The best advice before you decide on what action to take is to seek the advice of one of the specialist Whistleblowing teams. Whistleblowing Policy (HR Schools) 1.0 Introduction Wainscott school is committed to tackling unlawful acts including fraud, corruption, unethical conduct and malpractice regardless of who commits them,

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Scotland s Commissioner for Children and Young People Records Management Policy

Scotland s Commissioner for Children and Young People Records Management Policy Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives

More information

Use of Social Networking Websites Policy. Joint Management Trade Union Committee. ENDORSED BY: Consultative Committee DATE: 14 February 2013

Use of Social Networking Websites Policy. Joint Management Trade Union Committee. ENDORSED BY: Consultative Committee DATE: 14 February 2013 Use of Social Networking Websites Policy START DATE: March, 2013 NEXT REVIEW: March 2015 COMMITTEE APPROVAL: Joint Management Trade Union Committee CHAIR S SIGNATURE: STAFF SIDE CHAIR S SIGNATURE: DATE:

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Risk Management Authority

Risk Management Authority Risk Management Authority Records Management Plan RMA Records Management Plan 0 Contents Page 1. Introduction 2 1.1 Background 2 1.2 Records Management in the RMA 3 1.3 Records covered by this Plan 3 1.4

More information

AASA Online Privacy Policy CRP.020

AASA Online Privacy Policy CRP.020 Introduction Alzheimer s Australia SA Inc values your privacy and takes reasonable steps to protect your personal information (that is, information which identifies or may reasonably be used to identify

More information

PRIVACY POLICY Personal information and sensitive information Information we request from you

PRIVACY POLICY Personal information and sensitive information Information we request from you PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council

More information

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268 Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268 This guidance is suitable for Public Disclosure Owner of Doc:

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

Child and Adult Services Subject Access Requests Guidance

Child and Adult Services Subject Access Requests Guidance Child and Adult Services Subject Access Requests Guidance This Guidance is not applicable to Access to Information requests about Adoption. For requests about Adoption please consult the Adoption and Children

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

Last updated: 30 May 2016. Credit Suisse Privacy Policy

Last updated: 30 May 2016. Credit Suisse Privacy Policy Last updated: 30 May 2016 Credit Suisse Please read this privacy policy (the ) as it describes how we intend to collect, use, store, share, and safeguard your information. By accessing, visiting or using

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Information Security Policy

Information Security Policy Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

ORBIT POLICY O-DPA01 DATA PROTECTION POLICY V1.1

ORBIT POLICY O-DPA01 DATA PROTECTION POLICY V1.1 ORBIT POLICY O-DPA01 DATA PROTECTION POLICY V1.1 1 Document Control Document Title DATA PROTECTION POLICY References O-DPA01 Version V1.1 Classification Unclassified Status Issued Last Review August 2011

More information

Information Security Policy

Information Security Policy Information Security Policy Version 2 Date Approved by Board 8 March 2016 Date of previous approval 4 February 2014 Date of next Review February 2018 You may also be interested in the following policies:

More information

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) PRIVACY POLICY (Initially adopted by the Board of Directors on November 16, 2007) PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) The Corporation is committed to controlling the collection,

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Newcastle Safeguarding Children Board Multi-agency information sharing agreement

Newcastle Safeguarding Children Board Multi-agency information sharing agreement Newcastle Safeguarding Children Board Multi-agency information sharing agreement March 2016 Introduction Newcastle Safeguarding Children Board (NSCB) is the strategic body for promoting and safeguarding

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: December 2015 Version: 6.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Data Protection Procedure

Data Protection Procedure Data Protection Procedure [QP2.28] Procedure Number: QP2.28 Revision Number: 3 Date of issue: January 2006 Status: Approved Date of approval: May 2006 Responsibility for procedure: Director of Information

More information

1.2. The RAD Data Protection Policy and Procedures is part of the RAD s overall Information Strategy.

1.2. The RAD Data Protection Policy and Procedures is part of the RAD s overall Information Strategy. Data Protection Policy & Procedures 1. Introduction and legal context 1.1. The Royal Academy of Dance (RAD) collects, processes stores and shares information about its employees, members, registered teachers,

More information

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees Trafford Council Data Protection Policy, Statement and Guidance for Employees Author Nick Evans Date August 2009 Status Final Version 1.3 Review Date October 2015 Review By Kathryn Wright Next Review October

More information

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each; DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules

More information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable

More information

Barnet Partnership Information Sharing Protocol

Barnet Partnership Information Sharing Protocol Barnet Partnership Information Sharing Protocol Information Sharing Protocol V1_0C - FINAL Page 1 of 52 Version 1.0 (FINAL) Contents 1 Background... 4 1.1 The need to share information... 4 2 Scope...

More information

INFORMATION PRIVACY STATEMENT

INFORMATION PRIVACY STATEMENT INFORMATION PRIVACY STATEMENT Victoria Police is bound by the Privacy and Data Protection Act 2014 in how it manages personal information. Victoria Police is committed to protecting the personal information

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

OFFICIAL. NCC Records Management and Disposal Policy

OFFICIAL. NCC Records Management and Disposal Policy NCC Records Management and Disposal Policy Issue No: V1.0 Reference: NCC/IG4 Date of Origin: 12/11/2013 Date of this Issue: 14/01/2014 1 P a g e DOCUMENT TITLE NCC Records Management and Disposal Policy

More information

INFORMATION SHARING AGREEMENT

INFORMATION SHARING AGREEMENT University of Essex And Essex Police INFORMATION SHARING AGREEMENT September 2011 Version Published 1 1. INTRODUCTION 2. PURPOSE AND SCOPE OF THIS AGREEMENT 3. BENEFITS OF SHARING THIS INFORMATION 4. AGREEMENT

More information

Data Protection Policy

Data Protection Policy Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY 1. Purpose 1.1 The Data Protection Act 1998 ( the Act ) has two principal purposes: i) to regulate the use by those (known as data controllers) who obtain,

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

3. Consent for the Collection, Use or Disclosure of Personal Information

3. Consent for the Collection, Use or Disclosure of Personal Information PRIVACY POLICY FOR RENNIE MARKETING SYSTEMS Our privacy policy includes provisions of the Personal Information Protection Act (BC) and the Personal Information Protection and Electronic Documents Act (Canada),

More information

POLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES

POLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES POLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES January 2003 CONTENTS Page 1. POLICY FRAMEWORK 1.1 Introduction 1 1.2 Policy Statement 1 1.3 Aims of the Policy 1 1.4 Principles

More information

Pacific Smiles Group Privacy Policy

Pacific Smiles Group Privacy Policy Pacific Smiles Group Privacy Policy Pacific Smiles Group Limited and its related bodies corporate (PSG, we, our, us) recognise the importance of protecting the privacy and the rights of individuals in

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

Beacon Financial Group - Privacy Policy

Beacon Financial Group - Privacy Policy Beacon Financial Group - Privacy Policy Including: Beacon Financial Group Pty Ltd ABN 33 162 734 152, The FinancialLink Group Pty Ltd ABN 12 055 622 967 and Interactive Mortgage and Finance Pty Ltd ABN

More information

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy

More information

St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy

St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy Learn, sparkle & shine St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy Adopted from the LA Policy April 2015 CONTENTS Page No 1. Introduction 1 2. Guiding Principles

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

West Sussex County Council. Guidance on Information Law for Schools

West Sussex County Council. Guidance on Information Law for Schools This guidance recognises that schools already deal with a great variety and number of requests for information and provides a straightforward approach to compliance with the following legislation: Education

More information

Human Resources Author: Lou Hassen Version: 1 Review Date: Dec 2012 Page 1 of 7. Trinity Academy Disciplinary Policy

Human Resources Author: Lou Hassen Version: 1 Review Date: Dec 2012 Page 1 of 7. Trinity Academy Disciplinary Policy Page 1 of 7 Trinity Academy Disciplinary Policy Policy Statement The purpose of the Disciplinary Procedure is to give staff members every opportunity to improve standards of behaviour and conduct and to

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information