Corporate Data Protection Policy

Size: px
Start display at page:

Download "Corporate Data Protection Policy"

Transcription

1 Corporate Data Protection Policy September 2010 Records Management Policy RMP-09 GOLDEN RULE When you think about Data Protection remember that we are all data subjects. Think about how appropriately and securely you would like your personal details to be handled and then manage the personal details of others in the same way. Point of Contact for this Policy Name: David Taylor Title: Senior Information Governance Officer Telephone: Status FINAL Version 1.0

2 Foreword Brian Hoare Leader of the Council As more of our information is held on computers it is reassuring for our customers to know that Data Protection legislation is in place to protect the information we hold to prevent misuse. The legislation is our customers assurance that the information we need from them to provide services is collected wisely, used appropriately and destroyed securely. It also gives them the right to see the information held and to amend it if it s wrong. This policy supports the legislation and helps us all to keep the requirements for handling personal data foremost in our thoughts as we work. The citizens of Northampton expect their Council to manage the information they give us as though it were our own. This is the standard that we must strive to achieve and these policies aim to help that process. David Kennedy Chief Executive Northampton Borough Council is fully committed to comply with the requirements of the Data Protection Act This Council will therefore follow procedures which aim to ensure that all employees, elected members, contractors, agents, partners and other employees of the Council who have access to any personal data held by or on behalf of this Council are fully aware of, and abide by their duties under the Data Protection Act The Council fully endorses and adheres to the principles as set out in the Data Protection Act Status: FINAL V1.0

3 Contents Page Front Cover 1 Foreword Leader of the Council 2 Preface Chief Executive 2 Contents 3 Introduction 5 Compliance 5 The 8 Data Protection Principles 6 Personal Information Promise 6 Personal and Sensitive Personal Data 7 Policy Scope 7 POLICY STATEMENTS Section 1 Collecting personal data 1 Data Collection 8 2 Privacy Notice & Informed Consent 8 3 Safeguards 8 Section 2 Holding personal data 4 Legal Requirements 9 5 Information Security 9 6 Safe Haven 9 7 Confidentiality 10 8 Free Text 10 Section 3 Processing personal data 9 Privacy Impact Assessment Toolkit Processing (using) data Disclosing data Home Working 12 Section 4 Data Subject rights 13 Rights of Data Subjects Exemptions to the non disclosure provisions 13 Status: FINAL V1.0

4 Section 5 Data Management 15 Updating data Data Retention Data Destruction 14 Section 6 Information Sharing Framework Code of Practice on Information Sharing 14 Data matching 15 Data Transmission 15 Section 6 Non Compliance 17 Breaches Consequences of Non Compliance Criminal Offences 17 Section 7 DPO duties & responsibilities 20 The Data Protection Officer The notification process Complaints & Investigations Training Review 20 Section 8 Further Information Compliance Related legislation 21 Links to other associated legislation 21 References 21 Definitions 21 Contacts 22 GOLDEN RULES 23 Personal Information Promise Scroll 24 TH!NK Privacy back cover 26 Status: FINAL V1.0

5 Introduction DP Policy statements Northampton Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act 1998 ( the Act ), which came into force on the 1 st March Obligations and responsibilities under the Data Protection Act 1998 are not optional; they are mandatory. There can be harsh penalties (up to 500,000) imposed for noncompliance. The Council will therefore follow procedures that aim to ensure that all staff, elected members, contractors, agents, consultants, partners or any other person working for the Council who have access to any personal data held by or on behalf of the Council is fully aware of, and abides by their duties and responsibilities under the Act. All individuals permitted to access personal data in line with their work duties must agree to comply with this policy and agree to undertake any relevant training that may be appropriate to the job / position being undertaken. Some departments may also require you to sign a further undertaking relating to the systems or information you will use. As well as the Council, any individual who knowingly or recklessly processes data without appropriate consent or proper authorisation for purposes other than those for which it is intended or is deliberately acting outside of their recognized responsibilities may be subject to the Council's disciplinary procedures, including dismissal where appropriate, and possible legal action liable to prosecution and, from 1 st April 2010, possible criminal conviction under the Criminal Justice and Immigration Act Compliance In order to operate efficiently, the Council has to collect and use personal data about people with whom it works. This may include members of the public, current, past and prospective staff, clients, customers, contractors, partners and suppliers. In addition, the Council may be required to collect and use personal data in order to comply with its statutory obligations. This personal data must be handled and dealt with in accordance with the Act and this policy. There are safeguards within the Act to ensure personal information is collected, recorded and used whether it is on paper, computer records or recorded by any other means. The obligations outlined in this policy apply to everyone listed above who has access to, holds copies of or processes personal data. This includes those who work at / from home or have remote or flexible patterns of working. Directors, Service Heads and Managers have immediate responsibility and accountability for data protection matters in their own areas of work including: development, implementation and review of departmental Data Protection Procedures that support this policy. ensuring compliance with Information Governance policies and standards established by the Council and their service. ensuring that new information systems in their work area are designed to comply with this policy (tested against the Privacy Impact Assessment toolkit). notifying the Senior Information Governance Officer of the development of any new systems in their area of work that utilize personal data. Status: FINAL V1.0

6 DP Policy statements Staff and Elected Members (including consultants, contract, temporary, part time and agency staff) will have immediate responsibility to; work in a manner which will ensure the security and good management of all personal information they have access to, and proactively alert management to suspected poor data protection practices The 8 Data Protection Principles The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles summarised below are fully defined in schedule 1 of the Act and are legally enforceable. They must be followed by all data processors at all times The Principles require that personal information is 1. Processed fairly and lawfully 2. Obtained for specified and lawful purposes 3. Adequate, relevant and not excessive 4. Accurate and kept up to date 5. Not kept for longer than necessary 6. Processed in accordance with the rights of data subjects 7. Kept secure 8. Not transferred outside of the European Economic Area Data Protection Promise going further than the letter of the law In addition to meeting its legal obligations to safeguard personal data, this Council endeavours to go further than the letter of the law. To demonstrate this commitment to Data Protection the Council s Management Board have agreed to work in a way that wherever possible and practical supports the Information Commissioner s Personal Information Promise. Accordingly we promise that we will: 1. value the personal information entrusted to us and make sure we respect that trust; 2. go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards; 3. consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems; 4. be open with individuals about how we use their information and who we give it to; 5. make it easy for individuals to access and correct their personal information; 6. keep personal information to the minimum necessary and delete it when we no longer need it; 7. have effective safeguards in place to make sure personal information is kept securely and does not fall into the wrong hands; 8. provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don t look after personal information properly; Status FINAL V1.0

7 DP Policy statements 9. put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises; and 10. regularly check that we are living up to our promises and report on how we are doing. Personal & Sensitive Personal Data The Act provides conditions for the collection and processing of any personal data. It also makes a distinction between personal data and sensitive personal data. Personal data is defined as, data relating to a living individual who can be identified from: that data; that data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual. Sensitive personal data is defined as personal data consisting of information as to: racial or ethnic origin; political opinion; religious or other beliefs; trade union membership; physical or mental health or condition; sexual life; criminal proceedings or convictions. Although there are clear distinctions between personal and sensitive personal data for the purposes of this policy the term personal data refers equally to sensitive personal data unless otherwise stated. Policy Scope The Data Protection Act 1998, the 8 Data Protection Principles and the 10 Personal Information Promises form the framework and reference points for the following policy statements. Complying with them all demonstrates the Council s commitment to managing all personal data to the very highest standards at all times. This policy has been approved at Cabinet level. Compliance with all aspects of the policy is mandatory. The policy is divided into linked sections for ease of reference. It follows the natural process of data collection, validating, processing, retaining, sharing and destroying data. Guidance notes supporting each section and giving detailed compliance advice are available to assist individuals and departments comply with their duties and obligations. This policy is part of a series of interlinked policies relating to Records Management, Information Governance and Access to Information Requests. Status FINAL V1.0

8 DP Policy statements Section 1 Collecting personal data 1 Data Collection GOLDEN RULE The Council will only collect the absolute minimum amount of personal data required to conduct its business. Departments will maintain policies that ensure the personal information that they collect and hold is kept up-to-date and is never more than 6 years old within an active file. 2 Privacy Notice & Informed Consent GOLDEN RULE Privacy statements, (previously Fair Processing Notices), must be included when collecting any personal data. They must include or reference the following: be written in the same font, size and layout as the rest of the publication. be written in plain English. state why the personal data is required and how it will be used. if necessary identify who can access it and who it may be shared with. say how long it will be retained and how it will be destroyed. As a minimum the following statement should be used. Example privacy notice Northampton Borough Council is registered with the Information Commissioners Office under the Data Protection Act 1998 to collect, hold and use personal and sensitive personal information under registration number Z Details of the Council s current stated uses of personal information is available from the Information Commissioners website A copy of the Council s Data Protection Policy is available upon request or on the Council s website In addition, if sensitive personal data is to be collected explicit consent must be obtained either in advance or at the time of collection. In this context explicit consent means the Council must obtain signed consent or if collecting electronically the individual must physically change a default button from no to yes (I agree). 3 Safeguards The Council will ensure appropriate physical and electronic safeguards are in place to protect all the personal information in its care. Where necessary additional provisions, safeguards and controls will be employed to ensure sensitive personal information can only be accessed by authorised personnel. Status: FINAL V1.0

9 DP Policy statements Section 2 Holding personal data Records management has close links with other strategies and policies relating to Information Governance, Information Technology, Risk Management, Continuity, security, and data quality and validation. It is necessary that policies and procedures relating to all such activities should be consistent. 4 Legal requirements Legislation such as the Data Protection Act 1998 and the Freedom of Information Act 2000 has placed an increased obligation on the Council to manage its data (information), whether paper or electronic, according to defined guidelines and standards. Both the Acts require the Council to be able to identify, locate and account for the disposal of documents, and to have published and implemented policies in relation to the disposal of records. 5 Information Security The Council undertakes to have in place a level of information security appropriate to the nature of the data and the harm that might result from a breach of security. There are three key points we need to understand and have clearly in mind when thinking about information security. a) Information exists in many forms; printed or written on paper, stored electronically, transmitted by post or electronic means, shown on films or spoken in conversation. Be aware of the information around you and in your care at all times. Treat others information as though it were your own. b) Information security management is a combination of management and technological process. It is your responsibility to manage personal data in a compliant way using the most appropriate compliant process. This will normally be by ensuring your working practices follow written working procedures for your area in both the physical and electronic environment. c) We all have a part to play in making sure that our information assets are safe. You are responsible for the security of the information you work with. Managers are responsible for ensuring you are able to manage information securely. 6 Safe Haven This policy introduces the term Safe Haven to the Council. This is a universally recognised term that describes the administrative arrangements adopted for safeguarding the receipt, holding and transfer of personally identifiable and other confidential information. Status: FINAL V1.0

10 DP Policy statements It covers issues such as clear desk policy, as well as the secure transmission / receipt and safe retention of data. In effect, a Safe Haven is anywhere in the Council where confidential information can be held and communicated in a safe and secure environment. 7 Confidentiality Personal data is often provided to the Council in confidence. This confidential information is arguably the most valuable information business asset the Council holds. Staff automatically have duties to ensure that confidential information is not knowingly or recklessly misused. Staff should only access systems and records containing confidential information that are relevant to their work /duties. Therefore, where appropriate, signed declarations of confidentiality should be employed. GOLDEN RULE Treat all personal information as provided in confidence unless otherwise advised. Those who use the Council s computer equipment will only have access to the data that is both necessary for the work they are doing and held for the purpose of carrying out that work. Do not try to access personal information you should not have access to. If you find others misusing personal data report the issue, in confidence to the Data Protection Officer if necessary. Manual files (paper records) - access must be restricted solely to relevant staff and stored in secure locations (e.g. lockable cabinets), to prevent unauthorized access. Data users and processors must comply with the Council s Information Security Policy. Preventing abuse and discrimination. The Council processes sensitive personal data on staff and services users. The Council will have regard to its various diversity policies to ensure that if instances of abuse or discrimination occur, appropriate action is taken. NB. Additional safeguards must be adopted when sensitive personal data is involved. 8 Free Text Free text is, for the purposes of this policy, the area within a case file or electronic case system where details are recorded about interactions with the individual (customer). If requested the customer would be provided with the information contained therein. Status FINAL V1.0

11 DP Policy statements However, this free text guidance can equally be applied to s, internal memos and phone messages. Therefore care must be taken to only record factual information about individuals. Do not record opinions or anything else that cannot be substantiated. Remember data subjects have the right to request copies of the information the Council holds about them, including notes you have written onto their case file. What you write is likely to be disclosed if requested. GOLDEN RULE The golden rule of free text is to consider if you would be happy for someone else to write about you what you have written about them. Free text Do s Keep text brief. No essays. Record facts. Only write what can be substantiated. Link to evidence where necessary. Don t Do not use full names except for the data subject s, use initials. Do not include personal thoughts. Do not record comments that in hindsight you would retract / can t substantiate Section 3 Processing personal data What is processing? Any activity / operation performed on personal data - whether held electronically or manually, such as obtaining, recording, holding, disseminating or making available the data, or carrying out any operation on the data. It is difficult to envisage any activity that does not amount to processing but includes, organising, adapting, amending, processing, retrieving, consultation, disclosure, erasure or destruction of the data. Where a 3 rd party processes data on the council s behalf, the 3 rd party will be required to act in a manner which ensures compliance with the Act and this policy and have adequate safeguards in place to protect the personal data. Status FINAL V1.0

12 DP Policy statements 9 Privacy Impact Assessment Toolkit In response to the Data Sharing Review Report (11 th July 2008, Richard Thomas and Mark Walport) the Council will use a Privacy Impact Assessment (PIA) toolkit to evaluate all new computer systems to help it determine how data protection compliance can be assured. In addition all existing systems will be subject to periodic assessment. PIA toolkits provide a step-by-step approach to evaluate and test proposed, new or existing information systems for compliance with the legislation. The PIA process helps to identify weaknesses or risks to data losses or breaches and consider action that needs to be taken to ensure compliance where such compliance is not yet achieved. PIA applies equally to paper as well as electronic data holding systems. 10 Processing (using) data In line with the first data protection principle, all information will be collected fairly and lawfully and processed in line with the purpose for which it has been collected. GOLDEN RULE Without exception, information must not be used for any additional purposes without the consent of the data subject. 11 Disclosing data Personal data must only be disclosed to the data subject (the individual) and other organisations and persons who are pre-defined as notified recipients within the Council's Data Protection Notification. At certain times it may be required that personal data provided in confidence can be disclosed under one of the exemptions within the Act (see section 14 and guidance note 4 for more details). In both cases requests for such information must be passed to Information Governance who will keep an audit trail of all such disclosures. GOLDEN RULE Never disclose personal data without authorisation. It may be a disciplinary offence. 12 Home working Working from home presents some complex security issues. Accessing the Council s network from home is covered by ICT policies and procedures. Do not try and bypass these securities, particularly by copying files from work drives to local drives (your home PC). Personal data must not be stored on any device (including removable media such as USB sticks) that do not have corporately approved encryption. Taking home paper or electronic files creates a risk of loss. It also means the files are not accessible to other members of staff. Controls in the office must include a signed log when you are removing and returning files. Managers must authorise the removal of any files from the office containing personal information. Status FINAL V1.0

13 Section 4 Data Subject rights 13 Rights of Data Subjects DP Policy statements There are 6 basic rights that the data subject can exercise against the data controller Section 7 - Right of access for data subject This right is called Data Subject Access Request. The Council applies the statutory maximum charge (currently 10) when individual s make a request, with possible additional disbursement charges for copying and postage. Guidance note 4 fully defines the request process and includes a flowchart. There are 5 other rights, most of which follow on from a subject access request. Section 10 - Right to prevent certain processing of data Section 11 - Right to prevent processing for direct marketing Section 12 - Rights in relation to automatic decision taking Section 13 - Rights of compensation in certain circumstances Section 14 - Right to rectification, blocking, erasure or destruction of data Any request to take action against one or more of these rights must be passed immediately to Information Governance. 14 Exemptions to the non-disclosure provisions This section is in two parts. Part A relates to information that may be exempt from disclosure following a subject access request and part B relates to information that can be disclosed without the individual s consent, such as section 29 or 35 (see guidance note 4). Part A Under the Act there are some instances where personal information held about an individual is exempt from section 7 right (to be provided with a copy of all information held). The Council will review all such exemptions with a view to disclosing as much as is possible without causing harm. These include, but not limited to; Exam results Medical reports Confidential references Part B There are several prescribed exemptions to the non-disclosure provisions within the DPA. The main ones are summarised below. All such disclosures are either managed or authorised by Information Governance to ensure that they are legally permissible and recorded. NB. It should be noted that the Act does not place a requirement on the Council to provide this information. It is for requesting organisations to put forward a strong case. Status: FINAL V1.0

14 Section 5 Data Management 15 Updating Data DP Policy statements Personal data must only be kept on active files for a maximum of 6 years without being refreshed. If, when collected, we stated how long the data would be held for, there must be processes in place to ensure the information is securely destroyed at the end of this period. Examples include records of disciplinary action, consultation responses and monitoring data. Departments must have in place procedures to ensure personal information (such as contact details) is updated regularly. Some departments such as Personnel will do this every other year; others will do it as a rolling process such as Housing Tenancy and Planning while some will just note the date the details were put onto the system such as Council Tax. There is no requirement to update personal data on closed files such as ex-tenant files. 16 Data retention Principle 5 reminds us to only keep personal information for as long as is necessary. How long information needs to be kept will depend on what the information is used for and to some extent the business need. Your departmental Retention Schedule will contain details of how long specific record types should be kept for. Information Governance can also advise on how long information should be kept. 17 Data destruction All personal, sensitive personal, confidential and financial information held by the Council will be destroyed securely. Disposal of personal information will be part of a managed process, which will be fully documented within each directorate. Each directorate will have in place clearly defined arrangements and procedures for the selection of information ready for disposal, in accordance with local retention guidelines. Destruction of information will be carried out following relevant procedures and may be subject to periodic checks by either Internal Audit or Information Governance. Section 6 Information Sharing 18 Framework Code of Practice on Information Sharing In 2007 the Information Commissioners Office issued a Framework Code of Practice for sharing personal information. The aim of the code is to help organisations adopt good practice when sharing information and comply with the Act. Status: FINAL V1.0

15 DP Policy statements The Council has signed up to the Northamptonshire Partnership Information Sharing Statement, which is available as part of the procedure and guidance documents linked to this policy. The Council actively encourages the use of Information Sharing Agreements between organisations. This approach ensures that information is shared legally, responsibly and appropriately. Information Sharing Agreements must be signed off and recorded centrally by the Data Protection Officer before they become active. 19 Data Matching The Council is required by law to provide personal information data sets periodically to the Audit Commission to assist nationally with the prevention and detection of fraud. The data matching exercises are conducted as part of the National Fraud Initiative (NFI). Details of each exercise and the data sets required is available on the Audit Commission s website. The Council supports data matching, provides all information required for each exercise and follows the relevant codes of practice to ensure the information is transmitted and processed securely at all times. 20 Data Transmission The greatest single risk to the security of data is during transmission. Every time data is moved a risk of loss, theft or breach is created. Specific detailed departmental policies should be used to ensure that during the transmission process information security is not compromised. Areas of risk include, File movement, (particularly out of office file movement such as court attendance, home working or office move). Home working. Particular risks include the storage of data on removable drives such as USB sticks, the holding of data on a laptops and taking files home. , is often overlooked as a transmission risk. Standard is not a secure way to send personal information. Consider file encryption or secure such as GCSX. Post. Signed for does not make the postage any more secure, though it does give assurance that someone at the other end has received the information. Courier, particularly same day door-to-door, is about the most secure way to post. Advice on how to identify and mitigating these risks is contained in DP Guidance note 6. Status FINAL V1.0

16 DP Policy statements Section 6 Non Compliance 21 Breaches The Council is required to proactively report significant data breaches to the Information Commission. To do this, anyone who suspects or finds that a data breach, data loss or theft has occurred should inform the Data Protection Officer at the earliest opportunity, preferably on the same day. Types of suspected data breaches include, but are not restricted to: Accidental disclosure of personal data to another person or organisation Inappropriate access to or use of personal data The theft of personal information, either paper based or electronic Accidental loss of personal data Information that has not arrived at its destination Fraudulent acquisition of personal data (Blaggers) The Data Protection Officer must investigate the suspected data loss at the earliest opportunity and in any event within 3 working days of the breach being notified in writing to the Data Protection Officer. Where appropriate, particularly in respect of theft, the police should also be notified. If the Data Protection Officer considers it necessary after concluding the investigation and consulting with the Monitoring Officer and / or the Chief Executive a report shall be submitted to the Information Commissioners Office within 5 Working Days of the breach occurring. Where a breach is shown to have originated from a member of staff it will be dealt with in accordance with the Council s procedure for dealing with poor performance and misconduct. Managers will need to decide what action is appropriate based on the circumstances and may wish to seek advice from Human Resources, the Data Protection Officer and if necessary Legal Services, (particularly in the case of criminal offences). 22 Consequences of Non Compliance The Information Commissioner has the power to conduct audits to assess whether an organisation s processing of personal data follows good practice. Following such an audit the Information Commissioner has the power to issue the following notices. Information Notice Would require the Council to provide certain information within set time limits. Failure to comply with an Information Notice, or deliberately providing false information is a criminal offence. Status: FINAL V1.0

17 DP Policy statements Undertaking The Commissioner may decide that system and / or practices could be improved by requiring the organisation to agree to a number of recommendations. By issuing an undertaking the organisation would be on probation and obliged to action the undertaking. Decision Notice If the Information Commissioner decides that there had been a breach of the Act he may serve the Council with a Decision Notice. This could be, for example, failure to comply with an undertaking or following investigation he finds the Council has mishandled personal data. A Decision Notice is a public notice and is often said to name and shame organisations that have failed to uphold the principles of the Act. Enforcement Notice If the Information Commissioner decides that there had been a serious or significant breach of the Act, he may serve the Council with an Enforcement Notice. This may force the Council to cease processing data in a particular way or cease processing personal data. Failure to comply with an enforcement notice is a criminal offence. The implications of these notices means that compliance with this policy, together with the Act and supporting guidance issued by the Information Commissioner cannot be under estimated. It is therefore mandatory to comply. 23 Criminal Offences The Information Commissioner has the power to prosecute those (personally and corporately) who commit criminal offences under section 55 of the Act. Other legislation, such as the Criminal Justice and Immigration Act 2008, allows the Commissioner to impose fines of up to 500,000 for serious and / or persistent breaches of the Act. A full list of offences can be found on pages of the Information Commissioners legal guidance on Data Protection available via the following link: In addition, in relation to computer processed information, the following are offences under the Computer Misuse Act 1990: Unauthorised access to computer Unauthorised modification to contents of computer, and Unauthorised access with intent to commit / facilitate the commission of further offences GOLDEN RULE You must notify the Data Protection Officer immediately if you identify or suspect any offence. You may also want to consider raising the issue through the Council s Whistle Blowing procedure. Status FINAL V1.0

18 DP Policy statements Section 7 DPO duties & responsibilities 24 The Data Protection Officer The Council nominates the Senior Information Governance Officer to be the Council s Data Protection Officer who s duties are to a) ensure the Council s Data Protection Notification accurately reflects the activities of the Council and is renewed each year (see policy statement 21). b) maintain the Data Protection Policy and related guidance by ensuring it reflects current legislation and best practice. c) provide advice, guidance and assistance to staff, elected members, contractors, agents, partners or consultants who have access to any personal information held by or on behalf of the Council in the practical application of the legislation and policies. d) provide initial and refresher training to ensure all data handlers and processors understand, and continue to understand, their responsibilities with regard to data protection matters. e) investigate data breaches, losses, inappropriate use or thefts and where necessary report such incidents to the Information Commissioner. f) record and manage all requests for access to personal information including subject access and section 29 & 35 requests. g) keep a log of electronic and manual databases and to review their use periodically for compliance. h) provide or identify Privacy Impact Assessment tools for officers to assess new systems to ensure compliance with privacy legislation. i) regularly review the continued appropriateness of all data sharing agreements that are in place. In order to assist the Data Protection Officer, Council staff must inform the Data Protection Officer if: - Any department creates a new database, or relevant manual filing system; or plans to purchase or use a third party database to hold personal information, or Any unexpected data loss or any potential security breaches are identified, 25 The Notification Process The Council maintains, and will continue to maintain, regular Notification of its data activities to the Information Commissioner. Its registration number for such purposes is Z It is the responsibility of the Council s Data Protection Officer to ensure the Council regularly reviews its Notification to ensure that it reflects the use of personal information within the authority and, Status: FINAL V1.0

19 DP Policy statements promptly (within 28 days) updates notified changes to the Council s Data Protection Notification with the Information Commissioners Office. renews its annual Data Protection Notification notice on or before the last day of February each year If personal information is no longer needed for an activity, information is to be used for a new activity, or changes are made to the way personal information is used in an existing activity, it may mean that a Notification amendment is needed. To enable this process to begin you will need to supply the following information in writing to the Data Protection Officer: why (for what purpose) is personal information being processed? who is it about (the type of Data Subject)? what personal information (Data Classes) is being held? who has it come from and who does it go to? is information to be sent abroad, and if so where to? It is your responsibility to ensure changes to the way you collect, hold or process information is reported to the Data Protection Officer. Only after you have supplied written notification of changes can the notification be reviewed and amended if required. You are breaking the law if you knowingly process information in contravention of the Council s Notification. Golden Rule Under no circumstances can personal information be used for a new or amended purpose until the Council s Notification has been checked and amended if required. 26 Complaints & Investigations Everyone should expect the Council to hold, process and destroy personal data in a safe and secure environment. Occasionally individuals may have cause for concern that their personal information has not been managed as they would expect and have the right to complain. All such complaints will be investigated by the Data Protection Officer in the first instance using the Council s Information Challenge procedure. 27 Training Data Protection training is a crucial element of staff awareness. Staff, both permanent and temporary, need to be aware of their obligations relating to all personal data they process as part of their Council duties. Failure to adhere to the eight data protection principles can lead to possible disciplinary action and prosecution. Status FINAL V1.0

20 DP Policy statements It is the Council's Policy that all staff who hold or process personal data receive the appropriate training in order to comply with the Data Protection Act Basic data protection training is provided to staff via the induction process. Additional training will be provided for all who have access to personal information to ensure that they know how to: Identify personal data Ensure personal data is kept securely Further in-depth data protection training is provided for all staff whose main function is to process personal information. [For further details of training please contact Human Resources]. In addition staff are expected to read this Data Protection Policy. 28 Policy Review That there should be a regular annual review of this Policy, its working in practice and all related advice and guidance. The review will include tests on the continuing appropriateness of the safeguards and controls already in place. In addition, changes to legislation, national guidance, codes of practice or commissioner advice will trigger mini compliance and policy reviews. GOLDEN RULE When you think about Data Protection remember that we are all data subjects. Think about how appropriately and securely you would like your personal details to be handled and then manage the personal details of others in the same way. Status FINAL V1.0

21 Section 8 Further information Guidance Compliance - Related Legislation Copyright, Designs and Patents Act 1988 Children Act 1989 Computer Misuse Act 1990 Freedom of Information Act 2000 The Environmental Information Regulations 2004 Disability Discrimination Act 1995 Disability Discrimination Act 2005 Links to other associated legislation Defamation Act 1996 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Civil Contingencies Act 2004 The Re-Use of Public Sector Information Regulations 2005 Criminal Justice and Immigration Act 2008 References Data Sharing Review Report - Richard Thomas and Dr Mark Walport, 11 th July 2008 Framework Code of Practice for sharing personal information Legal guidance on Data Protection Definitions Data > Any information automatically processed or going to be automatically processed. This includes information contained within structured and unstructured manual files. Data Controller > Person (i.e. natural person or legal body such as a business or public authority). Decides manner in which, and purpose for which, personal data are processed. In our case this is the Council, not an individual. Data Protection Officer > The person appointed by the Data Controller (the Council) to manage Data Protection compliance, advice and training within an organisation. Status: FINAL V1.0

22 Personal Data > Information relating to a living identifiable individual. Data Subject > An individual who is the subject of the personal data/information. Data Processor > A person who processes of behalf of the data controller under. Golden Rule > No legal definition. Included to highlight important and significant points. Information Commissioner > An independent Officer appointed by Her Majesty the Queen and who reports directly to Parliament. Processing > Any activity/operation performed on personal data - whether held electronically or manually, such as obtaining, recording, holding, disseminating or making available the data, or carrying out any operation on the data. This includes, organising, adapting, amending and processing the data, retrieval, consultation, disclosure, erasure or destruction of the data. It is difficult to envisage any activity, which does not amount to processing. Sensitive Personal Data > Information relating to an individuals race/ethnic origin, their political opinions, religion, trade union membership, health, sexual life, criminal or alleged offences. Requires explicit consent to collect and hold this information. 3 rd Party > A person or organisation who s personal information is within another persons. Contact details David Taylor Senior Information Governance Officer (Freedom of Information and Data Protection Officer) Borough Solicitor's Department The Guildhall Northampton, NN1 1DE Telephone: Fax: The Information Commissioner's Office Wycliffe House Water Lane Wilmslow, SK9 5AF Tel: Website: Status FINAL V1.0

23 THE GOLDEN RULES The Council will only collect the absolute minimum amount of personal data required to conduct its business. Privacy statements, (previously Fair Processing Notices), must be included when collecting any personal data. Treat all personal information as provided in confidence unless otherwise advised. The golden rule of free text is to consider if you would be happy for someone else to write about you what you have written about them. Without exception, information must not be used for any additional purposes without the consent of the data subject. Never disclose personal data without authorisation. It may be a disciplinary offence. You must notify the Data Protection Officer immediately if you identify or suspect any offence. You may also want to consider raising the issue through the Council s Whistle Blowing policy. Under no circumstances can personal information be used for a new or amended purpose until the Council s Notification has been checked and amended if required. When you think about Data Protection remember that we are all data subjects. Think about how appropriately and securely you would like your personal details to be handled and then manage the personal details of others in the same way. TH!NK PRIVACY Status: FINAL V1.0

24 Status FINAL V1.0

25 Status FINAL V1.0

26 Status: FINAL V1.0

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Page 1 of 10 Table of Contents 1. Points of Contact for this Policy 4 2. Purpose of Data Protection Policy 4 3. Overview of the Data Protection Act 1998 5 4. Confidentiality and

More information

ffi Data Protection Policy *S,,?fi. i?#.#+"*# *S,#*'*#' #+ *S FKOADLEA THMARY SCHOOL

ffi Data Protection Policy *S,,?fi. i?#.#+*# *S,#*'*#' #+ *S FKOADLEA THMARY SCHOOL *S,,?fi. i?#.#+"*# *S,#*'*#' #+ *S FKOADLEA THMARY SCHOOL Aahiwo Bcliovc *ehbrefe Headteacher: Mrs Sharon Freeley BA (Hons) ATS Newport Road Lake lsle of Wight PO36 gpe Tel: 01983 402403 admin@broadleapri.

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: December 2015 Version: 6.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

Data Protection Policy

Data Protection Policy Data Protection Policy BMBC Data Protection Policy V1 Page 1 of 7 Table of Contents 1 INTRODUCTION... 3 2 POLICY STATEMENT... 3 3. SCOPE... 3 4 DATA PROTECTION PRINCIPLES... 4 5 PREREQUISITE CONDITIONS

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Information Security Policy

Information Security Policy Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

Data Protection Procedure

Data Protection Procedure Data Protection Procedure [QP2.28] Procedure Number: QP2.28 Revision Number: 3 Date of issue: January 2006 Status: Approved Date of approval: May 2006 Responsibility for procedure: Director of Information

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: 1.0 Date: October 2013 Table of Contents 1 Introduction The need for a Data Protection Policy... 3 2 Scope... 3 3 Principles... 3 4 Staff Roles & Responsibilities... 4 5

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Data Protection Acts 1988 and A Guide to Your Rights

Data Protection Acts 1988 and A Guide to Your Rights Data Protection Acts 1988 and 2003 A Guide to Your Rights :1 Definitions As with any legislation, certain terms have particular meaning. The following are some useful definitions: Data means information

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities.

1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities. Data Protection Policy 2011 Contents Page 1. Introduction... 3 2. Statement of Policy. 3 3. The Eight Principles of Data Protection...... 4 4. Scope.... 5 5. Roles and Responsibilities. 5 6. Development

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007 East Northamptonshire Council Policy & Community Development Data Protection Policy December 2007 If you would like to receive this publication in an alternative format (large print, tape format or other

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

A common sense guide to the Data Protection Act 1998 for volunteers

A common sense guide to the Data Protection Act 1998 for volunteers A common sense guide to the Data Protection Act 1998 for volunteers Why is it necessary? The Data Protection Act 1998 is a law introduced to control the way information held about individuals is handled

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

Data Protection Policy

Data Protection Policy Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014 Contents 1 Purpose... 2 2 Policy...

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

West Sussex County Council. Guidance on Information Law for Schools

West Sussex County Council. Guidance on Information Law for Schools This guidance recognises that schools already deal with a great variety and number of requests for information and provides a straightforward approach to compliance with the following legislation: Education

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

Information Security Policy

Information Security Policy Information Security Policy v2.0 Target Audience: Policy Endorsed by: ESCC Staff, members and other agencies handling ESCC information Governance Committee Final V2.0 Page 1 of 13 Information Security

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

Policy Procedure. Data Protection Act Contents

Policy Procedure. Data Protection Act Contents Policy Procedure Data Protection Act 1998 New policy number: 351 Old instruction number: MAN:A030:a2 Issue date: 20 April 2004 Reviewed as current: 16 January 2015 Owner: Head of Information and Communications

More information

Data protection policy

Data protection policy Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

Information Governance

Information Governance CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this

More information

Data Protection and Community Councils Briefing Note

Data Protection and Community Councils Briefing Note Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

Information Assurance Policies and Guidance. Information Governance Policy. Document Version: v0.5 Review Date: 1 May 2016

Information Assurance Policies and Guidance. Information Governance Policy. Document Version: v0.5 Review Date: 1 May 2016 Information Assurance Policies and Guidance Information Governance Policy Document Version: v0.5 Review Date: 1 May 2016 Owner: Information Governance Manager 1 P a g e Document History Revision Version

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

Access to Information: Data Protection and Freedom of Information

Access to Information: Data Protection and Freedom of Information Access to Information: Data Protection and Freedom of Information Records Management Section Data protection: key concepts Personal data Sensitive personal data Data subjects Data protection principles

More information

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Data Protection Act a more detailed guide

Data Protection Act a more detailed guide Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data

More information

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 -

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 - Leeds City Council Data Protection Policy - 1 - Document Control Organisation Leeds City Council Title Data Protection Policy Author Mark Turnbull, Legal Services Filename DPA policyvr1.doc Owner Assistant

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees Trafford Council Data Protection Policy, Statement and Guidance for Employees Author Nick Evans Date August 2009 Status Final Version 1.3 Review Date October 2015 Review By Kathryn Wright Next Review October

More information

Data Protection Good Practice Note

Data Protection Good Practice Note Data Protection Good Practice Note This explanatory document explains what charities and voluntary organisations need to do to comply with the Data Protection Act 1988 as amended by the Data Protection

More information

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session Everyone in the workplace has a legal duty to protect the privacy of information about individuals AEP/BELB/LJ/2010 Awareness Session During 2007 alone, 36,989,300 people in the UK have had their private

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

Islington Data Protection Policy. A council-wide information policy Version 1.1 June 2014

Islington Data Protection Policy. A council-wide information policy Version 1.1 June 2014 A council-wide information policy Version 1.1 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document is distributed under the Creative Commons Attribution 2.5 license.

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

Data and Information Security Policy

Data and Information Security Policy St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration

More information

Safeguarding Children and Vulnerable Adults Policy

Safeguarding Children and Vulnerable Adults Policy Safeguarding Children and Vulnerable Adults Policy Important: Remember it is not up to you to decide if abuse has taken place, BUT it is your legal duty to report safeguarding concerns you may have about

More information

Disciplinary and Dismissals Policy

Disciplinary and Dismissals Policy Policy Purpose/statement/reason for being Disciplinary and Dismissals Policy E.G - MIP is designed to strengthen the effectiveness of individual s contribution to the Council s success. Purpose The Disciplinary

More information