DATA PROTECTION POLICY

Size: px
Start display at page:

Download "DATA PROTECTION POLICY"

Transcription

1 Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection Act [DPA] Impact Assessment August 2010 DATA PROTECTION POLICY To be reviewed at least every 3 years As a result of the Colleges Incorporation on 1 April 1993, the College became wholly responsible for compliance with the data protection act. The original Data Protection Act 1984 has now been superseded by the Data Protection Act 1998, which significantly extends the scope of data protection law. To comply with the law information must be collected and used fairly, stored safely and not disclosed to any person unlawfully. Data held in electronic form continues to be covered by the new Act. However, manual files structured to enable specific information about a particular individual to be readily accessible will now also be caught and be regarded as relevant filing systems. Card index files, concertinas, files and ring binders containing information about individuals and arranged or divided, for example alphabetically, are covered by the Act, requiring 1 compliance with the obligations below. The legislation compels the College to take specific measures to ensure that all information [personal data] held about living individuals, held in a relevant filing system, is processed according to the eight data protection principles. 2.0 Specific Obligations Under The 1998 Act 2.1 The main obligations The College has two principal obligations under the new law: 1 NOTE : There is a transitional relief period whereby manual filing systems in place and processing already underway before 24 th Oct 1998 are exempt from compliance until the 23 rd Oct 2001 by when all relevant filing systems will have to comply with the regulations. Page 1 of 17

2 Not to process data until it has registered with the Office of the Data Protection Commissioner. The registration process is known as Notification To comply with the eight data protection principles set out in the new Act, which govern how data should be processed, how they should be updated, and the rights of the individuals whose data are held. These are: [1] Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 of the 1998 Act is met or in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the 1998 Act is also met [See Appendix A]. [2] Personal data shall be obtained only for one or more specific and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes. [3] Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. [4] Personal data shall be accurate and, where necessary, kept up-todate. [5] Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. [6] Personal data shall be processed in accordance with the rights of data subjects under this act. [7] Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. [8] Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 2.2 Notification of data held and processed Page 2 of 17

3 Notification is the process by which the College [the data controller] informs the Data Protection Commissioner about the processing of personal data carried out by the College. Once the College has notified, the information about our College is then made available in a public register. Notification is a statutory requirement and failure to do so is a criminal offence. The notification period is for one year and the College will have to renew its register entry annually otherwise it will expire. We will be informed in writing just before the expiry date of our register entry. Once the College has notified we must keep the notification up to date. If any part of the register entry becomes inaccurate or incomplete the college must take action to notify changes within 28 days of the event. The Data Protection Officer Mike Pilling [Network Services Manager] should be contacted if a change in any register entry is required. 2.3 Rights of access to information The principal purpose of notification and the public register is transparency and openness. It is a basic principle of data protection that the public should know or be able to find out who is carrying out processing of personal data. All staff, students and other users are entitled to know: what information the College holds and processes about them and why how to gain access to it how to keep it up to date what the College is doing to comply with its obligations under the 1998 Act. We must be prepared to answer the following kind of query: Do you hold data about me? Please supply copies of all data you hold about me For what purpose do you hold data about me? To whom do you disclose data about me? Page 3 of 17

4 The College will therefore provide copies of the College s registrations under the DPA 1998 and its, for reference in the College Library. Staff, students and other users of the College have the right to access any personal data that is being kept about them either on a computer or in any relevant filing system. Any person who wishes to exercise this right should complete the college "Data Subject Access Request" form [See Appendix B] and give it to the their manager or personal tutor. Selby College will make a charge of 10 on each occasion that access is requested, although the College has discretion to waive. The College aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request Exemptions There are a number of exceptions where exemptions from the Act apply. One such exemption is that of personal references. A data subject does not have the right to obtain from the College the details of a confidential reference that we have given. In the case where we have received a reference from a third party regarding a data subject we can disclose this information if it is was deemed reasonable to do so, but we may decide to seek consent from the third party who provided the reference Third party access to information Under normal circumstances third party access to an individual s personal information would not be permitted. The College in this instance would not be processing the personal data of the student/staff member fairly and lawfully in supplying information to a third party [Data Protection Principle 1]. However, if the third party was in fact the police, the College could disclose information about a data subject if we were satisfied that by withholding information we were likely to prejudice a criminal investigation. To comply with the Act we should not provide information to the police if there is no indication from the police as to why they wanted the information. 2.4 Data Subject Consent Page 4 of 17

5 A data subject is an individual who is the subject of personal data held by the College and can include students and staff. The College can only hold and process certain classes of data with the consent of the individual. The 1998 Act distinguishes between ordinary personal data such as name, address and telephone number and sensitive personal data including information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life and criminal convictions. Under the new 1998 Act the processing of such data is subject to much stricter conditions. If the data are sensitive then express consent to hold and process the data must be obtained, which normally means consent in writing. In our case the standard Selby College Learning Agreement acts as a consent form and by signing the form the student gives express consent for us to hold and process the sensitive data collected on the form. As for College staff it is a condition of employment that they agree to the college holding and processing personal data including information about previous criminal convictions. Therefore, all prospective staff and students will be asked to sign a Consent To Process form of some kind, regarding particular types of information, when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn. The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. The College will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of a medical emergency, for example. Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The College has a duty under the Children s Act and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The College also has a duty of care to all staff and students and must, therefore, make sure that employees and those who use the College facilities do not pose a threat or danger to other users. 3 Responsibilities of staff and students The purpose of this section is to make all staff and students aware of their responsibilities towards all personal data held by the college and to indicate the practical steps to be taken to comply with the act. Page 5 of 17

6 3.1 Staff Responsibilities This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the College. Any failures to follow the policy can therefore result in disciplinary proceedings. Regarding the processing of personal data by the college, staff should ensure that any data, which it is proposed to process, are covered by the College s notification under the Data Protection Act The processing of personal data that have not been notified is a criminal offence. To help staff the College will provide copies of the College s notifications under the DPA 1998, for reference in the College Library. All staff are responsible for checking that any information they provide to the College in connection with their employment is accurate and up to date and that any changes at a later date are notified. All staff are responsible for checking the accuracy of information held and keeping this information up to date. Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the designated data controller initially. If the matter is not resolved it should be raised as a formal grievance. Staff are responsible for ensuring that any person from whom personal data are obtained are not deceived or mislead as to the purpose for which such data are held, used or disclosed. Staff must ensure that an indication of the purpose[s] should appear on any form used to collect data, and where necessary, an explanation as to why the data are being collected. No unfair pressure should be used to obtain any personal data. 3.2 Student Responsibilities Students must ensure that all personal data provided to the College are accurate and up to date. They must ensure that changes of address etc are notified to the appropriate person normally their tutor. Students who use the College computer facilities may, from time to time, process personal data. If they do they must notify their personal tutor who will notify the data controller. Any student who requires further clarification about this should contact their personal tutor who will liaise with the Data Controller. Page 6 of 17

7 4. Data Security All staff should observe strict control of all databases of information [computerised or manual] on living individuals, whether they be staff, students, members of the public, suppliers, customers etc. The College must notify all relevant filing systems and databases or it could face legal action. Failure of any member of staff to inform College management of the existence of a database or manual filing system could result in disciplinary action. The holding of a College-related database outside the College also falls within these restrictions. The removal of College-Related personal data on a computer to off-site locations or the holding of College-related personal data on a computer outside College will only be permitted in strictly controlled circumstances. It is not permitted to hold any College-related data off-site on a computer or other relevant filing system without prior approval from college management. Great care must be taken not to disclose personal data either intentionally or accidentally. This can be helped by: Only allowing authorised access to computers [i.e. by not disclosing passwords] Switching off [or logging off] computer systems when you are not using them Keeping doors to rooms containing manual filing systems or computerised databases locked, when not in use Preventing unauthorised information being obtained from computer screens Not disclosing personal information over the telephone without following established procedures Only disclosing personal information to which an individual is entitled after first verifying the true identity of the person requesting the information Ensure proper disposal of waste materials such as computer printouts containing personal data Not removing any data/information from the college without prior authorisation Page 7 of 17

8 Not storing/processing certain personal data on individuals unless it is absolutely required. Before processing any personal data, all staff should consider the following checklist: Do you really need to record the information? Is the information standard or sensitive? If it is sensitive, do you have the data subject s express consent? Has the data subject been told that this type of data will be processed? Are you authorised to collect/store/process the data? Have you checked with the data subject that the data is accurate? Are you sure that the data is secure? If you do not have the data subject s consent to process, are you satisfied that it is in the best interest of the student/staff member to collect and retain the data? Have you informed the designated data controller for the College that you are storing this kind of information in a relevant filing system? 5. The Data Controller and the Designated Data Controller/s The College as a body corporate is the data controller under the Act, and the Board is therefore ultimately responsible for implementation. However, the designated data controllers will deal with day-to-day matters. The designated data controller for Selby College is Mike Pilling [Network Services Manager]. 6. Examination Marks Students will be entitled to information about their marks for both coursework and examinations. However, this may take longer than other information to provide. The College may decide to withhold certificates, accreditation or references in the event that full course fees have not been paid, or all books and equipment returned to the college. Page 8 of 17

9 7. Retention of Data The College will keep some forms of information for longer than others. Because of storage problems, information about students cannot be kept indefinitely, unless there are specific requests to do so. In general information about students will be kept for a maximum of 7 years after they leave the College. This will include name and address academic achievements, including marks for coursework and copies of any reference written. All other information, including any information about health, race or disciplinary matters will be destroyed within 5 years of the course ending and the student leaving the College. The College will need to keep information about staff for longer periods of time. In general, all information will be kept 5 years after a member of staff leaves the College. Some information, however, will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment and information required for job references. 8. Third Party Processing If we use a third party data controller to process data on behalf of the College we must ensure that the controller complies with the data protection act. This would apply to subsidiary trading companies and franchise partners. We must obtain sufficient guarantees in respect of the processor s security measures and take reasonable steps to ensure compliance with those measures. We must ensure that the third party processor is subject to a written contract with the College. 9. Transfer of information outside the European Economic Area 10. CCTV The College will not transfer data outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. For instance the United States has no Data Protection Act but individual US companies can sign up to the safe harbour scheme guaranteeing data protection CCTV Footage Page 9 of 17

10 Images of people captured by the CCTV systems operated by Selby College fall under the Data Protection Act. As with standard data people can request to see CCTV footage where their image has been captured and is stored by the college Security of CCTV Footage It is college policy that access to CCTV controls and images be physically secure and actual access to CCTV footage be limited to certain senior managers within the College Requests to access CCTV footage In the instance where a person requests to see CCTV footage they must limit the request to a certain time slot within a one hour period and will only be entitled to view footage where they personally appear. In certain circumstances it may be required to seek the approval of third parties where people other than the person requesting access also appear in the footage. This may hold up the process of providing access to CCTV footage considerably Incidents 11 Summary Where an incident has been reported and it occurred in view of CCTV systems [eg. it is suspected that crime has taken place in view of CCTV cameras] the CCTV footage in question will be viewed under controlled circumstances by at least two members of staff with authority to view CCTV Footage and operate the system. Where it is felt appropriate and where systems permit a copy of the incident footage will be made and passed to an appropriate member of the senior management team who will then be able to take appropriate action. The introduction of the new data protection law has forced the college to review the way in which data is processed. One of the purposes of this Policy is to ensure that a proper action is taken to comply with the new requirements which covers the following: To ensure that the College gives proper notification and is registered correctly To identify the manual records currently held and their contents, and determine which are likely to be caught by the new act Page 10 of 17

11 To establish how data are collected, and what consents are obtained, particularly in the case of sensitive data To review the security arrangements of third party processors such as franchise partners, and make sure that written contracts with them are put in place To remind employees of the data protection principles and make sure they are adhered to. Compliance with the 1998 Act is the responsibility of all members of the College. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to College facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated data controller. 12. Equality and Diversity Statement Selby College welcomes and celebrates equality and diversity. We believe that everyone should be treated equally and fairly regardless of their age, disability, gender, gender identity, race, religion or belief, sexual orientation and socio-economic background. We seek to ensure that no member of the College community receives less favourable treatment on any of these grounds which cannot be shown to be justified. This document is written with the above commitment, to ensure equality and diversity is at the centre of working life at Selby College. 13. Safeguarding Policy Selby College recognises its moral and statutory responsibility to safeguard and promote the welfare of students. We work to provide a safe and welcoming environment where students are respected and valued. We are alert to the signs of abuse and neglect and follow our procedures to ensure our students receive effective support, protection and justice. Selby College expects Governors, staff and volunteers working on behalf of the college to share this commitment. Page 11 of 17

12 APPENDIX A Schedule 2 Conditions At least one of the following must be satisfied: - Consent Contract Legal obligation Vital interest of the data subject Public Functions. In the case of consent a student might reasonably think that the college would use the non-sensitive data collected in the college in a college context. Schedule 3 Conditions Explicit consent Vital interest of the data subject Legal Proceedings Equal opportunities monitoring. In this case of explicit consent it is wise to obtain written consent. When a student signs the Selby College Learning Agreement they give their explicit consent for us to process the sensitive data collected on the form. Page 12 of 17

13 APPENDIX B SELBY COLLEGE: DATA SUBJECT ACCESS REQUEST FORM TO: The data controller [Selby College] FROM: [For identification purposes only please provide] FULL NAME: DATE OF BIRTH: ADDRESS + POSTCODE: In accordance with my rights under the data protection act 1998, I [the above named person] wish to have access to the following data that the college may hold about me as part of an automated system or any other relevant filing system. [Please tick as appropriate] Personal details including name, address, date of birth, ethnicity etc. Political, religious or trade union information. Academic marks or course work details. Academic or employment references. Health and medical matters including learning difficulties and disabilities. Disciplinary records. Any statements of opinion about my abilities or performance. I [the undersigned] understand that I will have to pay a fee of 10 to cover the administrative cost of accessing this data. Page 13 of 17

14 Note. In accordance with Selby College data protection policy the College aims to comply with requests for access to personal information as quickly as possible and will ensure that it is provided within 40 days of request unless there is reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request. Page 14 of 17

15 APPENDIX C Sample Case Studies Eversheds Solicitors, who provided Selby College with Data Protection consultancy, produced the case studies. The examples are not specific to Selby College but help us to understand the types of issues that we may have to deal with under the new 1998 Act. Page 15 of 17

16 APPENDIX D Data Protection Overview The Data Protection Act 1998 [DPA] applies to Selby College in that we are an organisation that stores and processes information about living individuals. Therefore all members of Selby College staff must adhere to data protection law and anyone handling data must follow the eight data protection principles Personal data must be: (1) processed fairly and lawfully (2) processed appropriately and must be for a specific limited purpose (3) relevant and not excessive in relation to the purpose for which it is held (4) accurate and up to date (5) only kept for as long as is necessary (6) processed in accordance with the rights of individuals under the act (7) kept in a secure manner (8) only transferred to other countries who have equivalent data protection controls. What data and filing systems are relevant? All filing systems where we hold information about living individuals are regarded as relevant filing systems under the DPA. This includes any filing system, not just computer systems, where information about individuals is readily accessible and includes data held in filing cabinets, folders, concertinas, card indexes, CCTV footage etc. What do I do if I am holding information about individuals? 1 Inform the College data controller [Mike Pilling, Network Services Manager] and read the College. 2 If the data held are sensitive [Ethnic origin etc.] obtain express permission from the individual concerned to hold the data. 3 Keep the data in a secure environment: a. Only allow authorised access to computers via password protection. b. Lock filing cabinets/offices. c. Do not remove data from the College without permission. d. Ensure proper disposal of old data. Page 16 of 17

17 4 Do not store any data that you would not want an individual to see [Personal opinions etc] and only store what is absolutely necessary for purpose. 5 Ensure that data is accurate [up to date]. 6 Be ready to provide copies of all data relating to an individual if requested by the data controller. 7 Ensure that individuals understand why and how we process the data we do. What rights do individuals [data subjects] have to see the data we hold about them? One of principal objectives of the data protection act is to create transparency and openness. Individuals have the right to see the data we hold about them and to understand how we use the data. Individuals can request to see the data we hold about them and under the law we have to provide access to their data [with only a few exceptions]. Page 17 of 17

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information

More information

HUMAN RESOURCES POLICIES & PROCEDURES

HUMAN RESOURCES POLICIES & PROCEDURES HUMAN RESOURCES POLICIES & PROCEDURES Policy title: Data protection policy Application: All employees CONTENTS PAGE Introduction 2 Status of the Data Protection Policy 2 Notification of data held and processed

More information

Data Protection Policy

Data Protection Policy 1. Introduction 1.1 The College needs to keep certain information about its employees, students and other stakeholders, for example to allow it to monitor performance, achievements and health and safety.

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

Data protection policy

Data protection policy Data protection policy Introduction The College is required to keep certain information about employees, students and other users to allow it to monitor performance, achievements, health and safety, recruitment

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Rev No. 0 New Document 1 2 3 4 5 6 7 Revision Status Details of Amendments Name Date Update of College DPA statement New Reference to Appendix 4 Staff Guidelines ESF document retention

More information

E-SAFETY POLICY 2014/15 Including:

E-SAFETY POLICY 2014/15 Including: E-SAFETY POLICY 2014/15 Including: Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection Data Security, awareness raising Acceptable

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

The Manchester College

The Manchester College The Manchester College The Manchester College Produced by TMC Prin DataProtect pol v1 11/2010 All rights reserved; no part of this publication may be photocopied, recorded or otherwise reproduced, stored

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Data Protection Policy and Procedure

Data Protection Policy and Procedure Data Protection Policy and Procedure INTRODUCTION West Nottinghamshire College is committed to preserving the privacy of its students and employees and to complying with the Data Protection Act 1998. To

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY Introduction 1. Looe Community Academy Trust (the Academy) is required to maintain certain personal data about living individuals for the purposes of

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

Data Protection Procedure

Data Protection Procedure Data Protection Procedure [QP2.28] Procedure Number: QP2.28 Revision Number: 3 Date of issue: January 2006 Status: Approved Date of approval: May 2006 Responsibility for procedure: Director of Information

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will:

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will: Data Protection Policy Introduction. Team Bees is required to maintain certain personal data about living individuals for the purposes of satisfying operational and legal obligations. Team Bees recognises

More information

Data Protection Policy

Data Protection Policy Data Protection Policy January 2016 Next Review Due: January 2017 Co-ordinator: Miss M Rudge/Mrs J McColl 1 ACADEMY DATA PROTECTION POLICY POLICY DATE: JANUARY 2016 REVIEW DATE: JANUARY 2017 Introduction

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Page 1 of 10 Table of Contents 1. Points of Contact for this Policy 4 2. Purpose of Data Protection Policy 4 3. Overview of the Data Protection Act 1998 5 4. Confidentiality and

More information

Data Protection Act a more detailed guide

Data Protection Act a more detailed guide Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data

More information

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information. MANCHESTER METROPOLITAN UNIVERSITY DATA PROTECTION POLICY This policy should be read in conjunction with the Data Protection Guidance, which is attached as: Appendix A Dealing with Personal Data Appendix

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

West Sussex County Council. Guidance on Information Law for Schools

West Sussex County Council. Guidance on Information Law for Schools This guidance recognises that schools already deal with a great variety and number of requests for information and provides a straightforward approach to compliance with the following legislation: Education

More information

Data Protection Workshop: How the Law Affects You Practice Questions

Data Protection Workshop: How the Law Affects You Practice Questions Data Protection Workshop: How the Law Affects You Practice Questions 1. Which of the following is not personal data covered by the Data Protection Act (pick one or more): A. Comments about an individual

More information

Data Protection Policy

Data Protection Policy Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014 Contents 1 Purpose... 2 2 Policy...

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Introduction This policy sets out the framework for a consistent SDS wide approach to handling information relating to identifiable individuals (Personal Data). Skills Development

More information

ILM Factsheet Dealing with data under the Data Protection Act 1998

ILM Factsheet Dealing with data under the Data Protection Act 1998 Prepared for ILM by Lester Aldridge Introduction Key issues for Charity Legacy Departments The Data Protection Act 1. What sort of information is protected by the Data Protection Act? 2. Is my charity

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY MILNBANK HOUSING ASSOCIATION DATA PROTECTION POLICY LS/NOV.2011/REF.P14 1) INTRODUCTION Milnbank Housing Association recognises that the Data Protection Act 1998 is an important piece of legislation to

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

DATA PROTECTION ACT POLICY

DATA PROTECTION ACT POLICY DATA PROTECTION ACT POLICY Personal data shall be obtained, maintained, stored, used and passed on only in strict accordance with the Act 1998. KIDS is registered according to the Data Protection Act 1998

More information

INFORMATION SHARING AGREEMENT

INFORMATION SHARING AGREEMENT University of Essex And Essex Police INFORMATION SHARING AGREEMENT September 2011 Version Published 1 1. INTRODUCTION 2. PURPOSE AND SCOPE OF THIS AGREEMENT 3. BENEFITS OF SHARING THIS INFORMATION 4. AGREEMENT

More information

37. Data Protection Act - Registration by Schools

37. Data Protection Act - Registration by Schools 37. Data Protection Act - Registration by Schools The Data Protection Act 1998 has replaced the Data Protection Act 1984. Whereas the 1984 Act only related to personal data that could be automatically

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

PRIVACY POLICY Personal information and sensitive information Information we request from you

PRIVACY POLICY Personal information and sensitive information Information we request from you PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Data Protection and Data security Policy

Data Protection and Data security Policy Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us

More information

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees Trafford Council Data Protection Policy, Statement and Guidance for Employees Author Nick Evans Date August 2009 Status Final Version 1.3 Review Date October 2015 Review By Kathryn Wright Next Review October

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Data Protection Guidance

Data Protection Guidance 53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection

More information

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007 East Northamptonshire Council Policy & Community Development Data Protection Policy December 2007 If you would like to receive this publication in an alternative format (large print, tape format or other

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?

More information

Data Protection Policy

Data Protection Policy Data Protection Policy BMBC Data Protection Policy V1 Page 1 of 7 Table of Contents 1 INTRODUCTION... 3 2 POLICY STATEMENT... 3 3. SCOPE... 3 4 DATA PROTECTION PRINCIPLES... 4 5 PREREQUISITE CONDITIONS

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection for the Guidance Counsellor. Issues To Plan For Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)

More information

Data Protection and Privacy Policy

Data Protection and Privacy Policy Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation.

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each; DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules

More information

INFORMATION PRIVACY STATEMENT

INFORMATION PRIVACY STATEMENT INFORMATION PRIVACY STATEMENT Victoria Police is bound by the Privacy and Data Protection Act 2014 in how it manages personal information. Victoria Police is committed to protecting the personal information

More information

Data Protection Policy

Data Protection Policy Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;

More information

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Policy Procedure. Data Protection Act Contents

Policy Procedure. Data Protection Act Contents Policy Procedure Data Protection Act 1998 New policy number: 351 Old instruction number: MAN:A030:a2 Issue date: 20 April 2004 Reviewed as current: 16 January 2015 Owner: Head of Information and Communications

More information

USE OF PERSONAL MOBILE DEVICES POLICY

USE OF PERSONAL MOBILE DEVICES POLICY Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: December 2015 Version: 6.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

Data Protection and Research. Guidance Note

Data Protection and Research. Guidance Note Data Protection and Research Guidance Note 1. Introduction Personal Data used for research purposes by University staff must be dealt with in accordance with the Data Protection Act 1998 and its 8 Data

More information

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school

More information

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0 PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

Service Instruction 0759: Destruction of Information Assets (Including Protectively Marked Information)

Service Instruction 0759: Destruction of Information Assets (Including Protectively Marked Information) APPENDIX E Service Instruction 0759 Destruction of Information Assets (Including Protectively Marked Information) Document Control Description and Purpose This instruction is intended to provide guidance

More information

Data Protection for Schools Compliance Checklist

Data Protection for Schools Compliance Checklist Data Protection for Schools Compliance Checklist Here is a simple bullet point list of actions your school should take to work towards compliance with the Data Protection Act. It is a non - exhaustive

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information