DATA PROTECTION POLICY
|
|
- Samuel McDonald
- 4 years ago
- Views:
Transcription
1 Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection Act [DPA] Impact Assessment August 2010 DATA PROTECTION POLICY To be reviewed at least every 3 years As a result of the Colleges Incorporation on 1 April 1993, the College became wholly responsible for compliance with the data protection act. The original Data Protection Act 1984 has now been superseded by the Data Protection Act 1998, which significantly extends the scope of data protection law. To comply with the law information must be collected and used fairly, stored safely and not disclosed to any person unlawfully. Data held in electronic form continues to be covered by the new Act. However, manual files structured to enable specific information about a particular individual to be readily accessible will now also be caught and be regarded as relevant filing systems. Card index files, concertinas, files and ring binders containing information about individuals and arranged or divided, for example alphabetically, are covered by the Act, requiring 1 compliance with the obligations below. The legislation compels the College to take specific measures to ensure that all information [personal data] held about living individuals, held in a relevant filing system, is processed according to the eight data protection principles. 2.0 Specific Obligations Under The 1998 Act 2.1 The main obligations The College has two principal obligations under the new law: 1 NOTE : There is a transitional relief period whereby manual filing systems in place and processing already underway before 24 th Oct 1998 are exempt from compliance until the 23 rd Oct 2001 by when all relevant filing systems will have to comply with the regulations. Page 1 of 17
2 Not to process data until it has registered with the Office of the Data Protection Commissioner. The registration process is known as Notification To comply with the eight data protection principles set out in the new Act, which govern how data should be processed, how they should be updated, and the rights of the individuals whose data are held. These are: [1] Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 of the 1998 Act is met or in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the 1998 Act is also met [See Appendix A]. [2] Personal data shall be obtained only for one or more specific and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes. [3] Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. [4] Personal data shall be accurate and, where necessary, kept up-todate. [5] Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. [6] Personal data shall be processed in accordance with the rights of data subjects under this act. [7] Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. [8] Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 2.2 Notification of data held and processed Page 2 of 17
3 Notification is the process by which the College [the data controller] informs the Data Protection Commissioner about the processing of personal data carried out by the College. Once the College has notified, the information about our College is then made available in a public register. Notification is a statutory requirement and failure to do so is a criminal offence. The notification period is for one year and the College will have to renew its register entry annually otherwise it will expire. We will be informed in writing just before the expiry date of our register entry. Once the College has notified we must keep the notification up to date. If any part of the register entry becomes inaccurate or incomplete the college must take action to notify changes within 28 days of the event. The Data Protection Officer Mike Pilling [Network Services Manager] should be contacted if a change in any register entry is required. 2.3 Rights of access to information The principal purpose of notification and the public register is transparency and openness. It is a basic principle of data protection that the public should know or be able to find out who is carrying out processing of personal data. All staff, students and other users are entitled to know: what information the College holds and processes about them and why how to gain access to it how to keep it up to date what the College is doing to comply with its obligations under the 1998 Act. We must be prepared to answer the following kind of query: Do you hold data about me? Please supply copies of all data you hold about me For what purpose do you hold data about me? To whom do you disclose data about me? Page 3 of 17
4 The College will therefore provide copies of the College s registrations under the DPA 1998 and its, for reference in the College Library. Staff, students and other users of the College have the right to access any personal data that is being kept about them either on a computer or in any relevant filing system. Any person who wishes to exercise this right should complete the college "Data Subject Access Request" form [See Appendix B] and give it to the their manager or personal tutor. Selby College will make a charge of 10 on each occasion that access is requested, although the College has discretion to waive. The College aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request Exemptions There are a number of exceptions where exemptions from the Act apply. One such exemption is that of personal references. A data subject does not have the right to obtain from the College the details of a confidential reference that we have given. In the case where we have received a reference from a third party regarding a data subject we can disclose this information if it is was deemed reasonable to do so, but we may decide to seek consent from the third party who provided the reference Third party access to information Under normal circumstances third party access to an individual s personal information would not be permitted. The College in this instance would not be processing the personal data of the student/staff member fairly and lawfully in supplying information to a third party [Data Protection Principle 1]. However, if the third party was in fact the police, the College could disclose information about a data subject if we were satisfied that by withholding information we were likely to prejudice a criminal investigation. To comply with the Act we should not provide information to the police if there is no indication from the police as to why they wanted the information. 2.4 Data Subject Consent Page 4 of 17
5 A data subject is an individual who is the subject of personal data held by the College and can include students and staff. The College can only hold and process certain classes of data with the consent of the individual. The 1998 Act distinguishes between ordinary personal data such as name, address and telephone number and sensitive personal data including information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life and criminal convictions. Under the new 1998 Act the processing of such data is subject to much stricter conditions. If the data are sensitive then express consent to hold and process the data must be obtained, which normally means consent in writing. In our case the standard Selby College Learning Agreement acts as a consent form and by signing the form the student gives express consent for us to hold and process the sensitive data collected on the form. As for College staff it is a condition of employment that they agree to the college holding and processing personal data including information about previous criminal convictions. Therefore, all prospective staff and students will be asked to sign a Consent To Process form of some kind, regarding particular types of information, when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn. The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. The College will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of a medical emergency, for example. Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The College has a duty under the Children s Act and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The College also has a duty of care to all staff and students and must, therefore, make sure that employees and those who use the College facilities do not pose a threat or danger to other users. 3 Responsibilities of staff and students The purpose of this section is to make all staff and students aware of their responsibilities towards all personal data held by the college and to indicate the practical steps to be taken to comply with the act. Page 5 of 17
6 3.1 Staff Responsibilities This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the College. Any failures to follow the policy can therefore result in disciplinary proceedings. Regarding the processing of personal data by the college, staff should ensure that any data, which it is proposed to process, are covered by the College s notification under the Data Protection Act The processing of personal data that have not been notified is a criminal offence. To help staff the College will provide copies of the College s notifications under the DPA 1998, for reference in the College Library. All staff are responsible for checking that any information they provide to the College in connection with their employment is accurate and up to date and that any changes at a later date are notified. All staff are responsible for checking the accuracy of information held and keeping this information up to date. Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the designated data controller initially. If the matter is not resolved it should be raised as a formal grievance. Staff are responsible for ensuring that any person from whom personal data are obtained are not deceived or mislead as to the purpose for which such data are held, used or disclosed. Staff must ensure that an indication of the purpose[s] should appear on any form used to collect data, and where necessary, an explanation as to why the data are being collected. No unfair pressure should be used to obtain any personal data. 3.2 Student Responsibilities Students must ensure that all personal data provided to the College are accurate and up to date. They must ensure that changes of address etc are notified to the appropriate person normally their tutor. Students who use the College computer facilities may, from time to time, process personal data. If they do they must notify their personal tutor who will notify the data controller. Any student who requires further clarification about this should contact their personal tutor who will liaise with the Data Controller. Page 6 of 17
7 4. Data Security All staff should observe strict control of all databases of information [computerised or manual] on living individuals, whether they be staff, students, members of the public, suppliers, customers etc. The College must notify all relevant filing systems and databases or it could face legal action. Failure of any member of staff to inform College management of the existence of a database or manual filing system could result in disciplinary action. The holding of a College-related database outside the College also falls within these restrictions. The removal of College-Related personal data on a computer to off-site locations or the holding of College-related personal data on a computer outside College will only be permitted in strictly controlled circumstances. It is not permitted to hold any College-related data off-site on a computer or other relevant filing system without prior approval from college management. Great care must be taken not to disclose personal data either intentionally or accidentally. This can be helped by: Only allowing authorised access to computers [i.e. by not disclosing passwords] Switching off [or logging off] computer systems when you are not using them Keeping doors to rooms containing manual filing systems or computerised databases locked, when not in use Preventing unauthorised information being obtained from computer screens Not disclosing personal information over the telephone without following established procedures Only disclosing personal information to which an individual is entitled after first verifying the true identity of the person requesting the information Ensure proper disposal of waste materials such as computer printouts containing personal data Not removing any data/information from the college without prior authorisation Page 7 of 17
8 Not storing/processing certain personal data on individuals unless it is absolutely required. Before processing any personal data, all staff should consider the following checklist: Do you really need to record the information? Is the information standard or sensitive? If it is sensitive, do you have the data subject s express consent? Has the data subject been told that this type of data will be processed? Are you authorised to collect/store/process the data? Have you checked with the data subject that the data is accurate? Are you sure that the data is secure? If you do not have the data subject s consent to process, are you satisfied that it is in the best interest of the student/staff member to collect and retain the data? Have you informed the designated data controller for the College that you are storing this kind of information in a relevant filing system? 5. The Data Controller and the Designated Data Controller/s The College as a body corporate is the data controller under the Act, and the Board is therefore ultimately responsible for implementation. However, the designated data controllers will deal with day-to-day matters. The designated data controller for Selby College is Mike Pilling [Network Services Manager]. 6. Examination Marks Students will be entitled to information about their marks for both coursework and examinations. However, this may take longer than other information to provide. The College may decide to withhold certificates, accreditation or references in the event that full course fees have not been paid, or all books and equipment returned to the college. Page 8 of 17
9 7. Retention of Data The College will keep some forms of information for longer than others. Because of storage problems, information about students cannot be kept indefinitely, unless there are specific requests to do so. In general information about students will be kept for a maximum of 7 years after they leave the College. This will include name and address academic achievements, including marks for coursework and copies of any reference written. All other information, including any information about health, race or disciplinary matters will be destroyed within 5 years of the course ending and the student leaving the College. The College will need to keep information about staff for longer periods of time. In general, all information will be kept 5 years after a member of staff leaves the College. Some information, however, will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment and information required for job references. 8. Third Party Processing If we use a third party data controller to process data on behalf of the College we must ensure that the controller complies with the data protection act. This would apply to subsidiary trading companies and franchise partners. We must obtain sufficient guarantees in respect of the processor s security measures and take reasonable steps to ensure compliance with those measures. We must ensure that the third party processor is subject to a written contract with the College. 9. Transfer of information outside the European Economic Area 10. CCTV The College will not transfer data outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. For instance the United States has no Data Protection Act but individual US companies can sign up to the safe harbour scheme guaranteeing data protection CCTV Footage Page 9 of 17
10 Images of people captured by the CCTV systems operated by Selby College fall under the Data Protection Act. As with standard data people can request to see CCTV footage where their image has been captured and is stored by the college Security of CCTV Footage It is college policy that access to CCTV controls and images be physically secure and actual access to CCTV footage be limited to certain senior managers within the College Requests to access CCTV footage In the instance where a person requests to see CCTV footage they must limit the request to a certain time slot within a one hour period and will only be entitled to view footage where they personally appear. In certain circumstances it may be required to seek the approval of third parties where people other than the person requesting access also appear in the footage. This may hold up the process of providing access to CCTV footage considerably Incidents 11 Summary Where an incident has been reported and it occurred in view of CCTV systems [eg. it is suspected that crime has taken place in view of CCTV cameras] the CCTV footage in question will be viewed under controlled circumstances by at least two members of staff with authority to view CCTV Footage and operate the system. Where it is felt appropriate and where systems permit a copy of the incident footage will be made and passed to an appropriate member of the senior management team who will then be able to take appropriate action. The introduction of the new data protection law has forced the college to review the way in which data is processed. One of the purposes of this Policy is to ensure that a proper action is taken to comply with the new requirements which covers the following: To ensure that the College gives proper notification and is registered correctly To identify the manual records currently held and their contents, and determine which are likely to be caught by the new act Page 10 of 17
11 To establish how data are collected, and what consents are obtained, particularly in the case of sensitive data To review the security arrangements of third party processors such as franchise partners, and make sure that written contracts with them are put in place To remind employees of the data protection principles and make sure they are adhered to. Compliance with the 1998 Act is the responsibility of all members of the College. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to College facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated data controller. 12. Equality and Diversity Statement Selby College welcomes and celebrates equality and diversity. We believe that everyone should be treated equally and fairly regardless of their age, disability, gender, gender identity, race, religion or belief, sexual orientation and socio-economic background. We seek to ensure that no member of the College community receives less favourable treatment on any of these grounds which cannot be shown to be justified. This document is written with the above commitment, to ensure equality and diversity is at the centre of working life at Selby College. 13. Safeguarding Policy Selby College recognises its moral and statutory responsibility to safeguard and promote the welfare of students. We work to provide a safe and welcoming environment where students are respected and valued. We are alert to the signs of abuse and neglect and follow our procedures to ensure our students receive effective support, protection and justice. Selby College expects Governors, staff and volunteers working on behalf of the college to share this commitment. Page 11 of 17
12 APPENDIX A Schedule 2 Conditions At least one of the following must be satisfied: - Consent Contract Legal obligation Vital interest of the data subject Public Functions. In the case of consent a student might reasonably think that the college would use the non-sensitive data collected in the college in a college context. Schedule 3 Conditions Explicit consent Vital interest of the data subject Legal Proceedings Equal opportunities monitoring. In this case of explicit consent it is wise to obtain written consent. When a student signs the Selby College Learning Agreement they give their explicit consent for us to process the sensitive data collected on the form. Page 12 of 17
13 APPENDIX B SELBY COLLEGE: DATA SUBJECT ACCESS REQUEST FORM TO: The data controller [Selby College] FROM: [For identification purposes only please provide] FULL NAME: DATE OF BIRTH: ADDRESS + POSTCODE: In accordance with my rights under the data protection act 1998, I [the above named person] wish to have access to the following data that the college may hold about me as part of an automated system or any other relevant filing system. [Please tick as appropriate] Personal details including name, address, date of birth, ethnicity etc. Political, religious or trade union information. Academic marks or course work details. Academic or employment references. Health and medical matters including learning difficulties and disabilities. Disciplinary records. Any statements of opinion about my abilities or performance. I [the undersigned] understand that I will have to pay a fee of 10 to cover the administrative cost of accessing this data. Page 13 of 17
14 Note. In accordance with Selby College data protection policy the College aims to comply with requests for access to personal information as quickly as possible and will ensure that it is provided within 40 days of request unless there is reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request. Page 14 of 17
15 APPENDIX C Sample Case Studies Eversheds Solicitors, who provided Selby College with Data Protection consultancy, produced the case studies. The examples are not specific to Selby College but help us to understand the types of issues that we may have to deal with under the new 1998 Act. Page 15 of 17
16 APPENDIX D Data Protection Overview The Data Protection Act 1998 [DPA] applies to Selby College in that we are an organisation that stores and processes information about living individuals. Therefore all members of Selby College staff must adhere to data protection law and anyone handling data must follow the eight data protection principles Personal data must be: (1) processed fairly and lawfully (2) processed appropriately and must be for a specific limited purpose (3) relevant and not excessive in relation to the purpose for which it is held (4) accurate and up to date (5) only kept for as long as is necessary (6) processed in accordance with the rights of individuals under the act (7) kept in a secure manner (8) only transferred to other countries who have equivalent data protection controls. What data and filing systems are relevant? All filing systems where we hold information about living individuals are regarded as relevant filing systems under the DPA. This includes any filing system, not just computer systems, where information about individuals is readily accessible and includes data held in filing cabinets, folders, concertinas, card indexes, CCTV footage etc. What do I do if I am holding information about individuals? 1 Inform the College data controller [Mike Pilling, Network Services Manager] and read the College. 2 If the data held are sensitive [Ethnic origin etc.] obtain express permission from the individual concerned to hold the data. 3 Keep the data in a secure environment: a. Only allow authorised access to computers via password protection. b. Lock filing cabinets/offices. c. Do not remove data from the College without permission. d. Ensure proper disposal of old data. Page 16 of 17
17 4 Do not store any data that you would not want an individual to see [Personal opinions etc] and only store what is absolutely necessary for purpose. 5 Ensure that data is accurate [up to date]. 6 Be ready to provide copies of all data relating to an individual if requested by the data controller. 7 Ensure that individuals understand why and how we process the data we do. What rights do individuals [data subjects] have to see the data we hold about them? One of principal objectives of the data protection act is to create transparency and openness. Individuals have the right to see the data we hold about them and to understand how we use the data. Individuals can request to see the data we hold about them and under the law we have to provide access to their data [with only a few exceptions]. Page 17 of 17
John Leggott College. Data Protection Policy. Introduction
John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and
How To Protect Your Personal Information At A College
Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information
Data Protection Policy
1. Introduction 1.1 The College needs to keep certain information about its employees, students and other stakeholders, for example to allow it to monitor performance, achievements and health and safety.
DATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
Data protection policy
Data protection policy Introduction The College is required to keep certain information about employees, students and other users to allow it to monitor performance, achievements, health and safety, recruitment
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
DATA PROTECTION POLICY
DATA PROTECTION POLICY Rev No. 0 New Document 1 2 3 4 5 6 7 Revision Status Details of Amendments Name Date Update of College DPA statement New Reference to Appendix 4 Staff Guidelines ESF document retention
E-SAFETY POLICY 2014/15 Including:
E-SAFETY POLICY 2014/15 Including: Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection Data Security, awareness raising Acceptable
Dublin City University
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
Information Governance Policy
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
The Manchester College
The Manchester College The Manchester College Produced by TMC Prin DataProtect pol v1 11/2010 All rights reserved; no part of this publication may be photocopied, recorded or otherwise reproduced, stored
DATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
DATA PROTECTION POLICY
DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the
Merthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
DATA PROTECTION ACT 1998 COUNCIL POLICY
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
Human Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
Data Protection Policy
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
Little Marlow Parish Council Registration Number for ICO Z3112320
Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with
Scottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.
MANCHESTER METROPOLITAN UNIVERSITY DATA PROTECTION POLICY This policy should be read in conjunction with the Data Protection Guidance, which is attached as: Appendix A Dealing with Personal Data Appendix
Policy Document Control Page
Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:
HERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
Data Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
Data Protection Act a more detailed guide
Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data
2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.
University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
Corporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
Data Protection. Policy and Application July 2009
Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:
Human Resources and Data Protection
Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council
University of Limerick Data Protection Compliance Regulations June 2015
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
Data Protection Workshop: How the Law Affects You Practice Questions
Data Protection Workshop: How the Law Affects You Practice Questions 1. Which of the following is not personal data covered by the Data Protection Act (pick one or more): A. Comments about an individual
DATA PROTECTION POLICY
MILNBANK HOUSING ASSOCIATION DATA PROTECTION POLICY LS/NOV.2011/REF.P14 1) INTRODUCTION Milnbank Housing Association recognises that the Data Protection Act 1998 is an important piece of legislation to
Data Protection Policy
Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014 Contents 1 Purpose... 2 2 Policy...
PRIVACY POLICY Personal information and sensitive information Information we request from you
PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage
DATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
The Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
DATA PROTECTION POLICY
DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary
Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers
Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in
Data Protection Policy
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
Data Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
Data Protection and Data security Policy
Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us
How To Understand The Data Protection Act
DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and
OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website
Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,
INFORMATION GOVERNANCE AND DATA PROTECTION POLICY
INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy
So the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
Data Protection Guidance
53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection
Caedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk
Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data
technical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk
Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The
DATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection
Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?
Data Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana
Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act
QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt
QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.
Data Protection and Privacy Policy
Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation.
DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;
DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules
Data Protection for the Guidance Counsellor. Issues To Plan For
Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)
ATMD Bird & Bird. Singapore Personal Data Protection Policy
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION
UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and
Data Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
CORK INSTITUTE OF TECHNOLOGY
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
Protection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
Information Sharing Policy
Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed
Service Instruction 0759: Destruction of Information Assets (Including Protectively Marked Information)
APPENDIX E Service Instruction 0759 Destruction of Information Assets (Including Protectively Marked Information) Document Control Description and Purpose This instruction is intended to provide guidance
Data Protection Policy
Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;
Data Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998. Contents
EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998 Contents 1. Introduction Page 2 2. The Data Protection Act 1998 Page 2 3. Review of data used in College departments Page 3 4. Security
Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0
PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner
Data protection compliance checklist
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
Data protection policy
Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data
Data Protection and Information Security Policy and Procedure
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
Information Governance Policy
Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups
Information Handling Policy
Information Handling Policy 10 December 2015 Information Handling Policy 1. Who We Are 1.1 In this Information Handling Policy, references to we, our, us and ClearView are to ClearView Wealth Limited and
Data Compliance. And. Your Obligations
Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection
Data Protection Policy
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
Credit Union Code for the Protection of Personal Information
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection
Corporate Data Protection Policy
Corporate Data Protection Policy September 2010 Records Management Policy RMP-09 GOLDEN RULE When you think about Data Protection remember that we are all data subjects. Think about how appropriately and
USE OF PERSONAL MOBILE DEVICES POLICY
Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014
DATA PROTECTION AUDIT GUIDANCE
DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
AlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015
Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
(4) THAMES VALLEY POLICE of Oxford Road, Kidlington, OX5 2NX ("Police Force"),
DATE OF INFORMATION SHARING AGREEMENT JULY 2015 PARTIES (1) LIVE NATION (MUSIC) UK LIMITED (Company Number 02409911) whose registered office is at 2 nd Floor, Regent Arcade House, 19-25 Argyll Street,
Guidelines on Data Protection. Draft. Version 3.1. Published by
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
DATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.
PART I: INTRODUCTION AND BACKGROUND Purpose This Data Protection Binding Corporate Rules Policy ( Policy ) establishes the approach of Fluor to compliance with European data protection law and specifically
Photography and filming in schools Code of Practice
Photography and filming in schools Code of Practice Data Protection compliance September 2010 Photography and filming in schools September 2010 1 Contents 1. About this code 3 2. Complying with the Data
Information Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
Direct Recruitment Privacy Policy
Direct Recruitment Privacy Policy Direct Recruitment manages personal information in accordance with the Privacy Act 1988 and Australian Privacy Principles (APP). This policy applies to information collected
Human Resources Policy No. HR46
Human Resources Policy No. HR46 Maintaining Personal Files and ESR Records Additionally refer to HR04 Verification of Professional Registration HR33 Recruitment and Selection HR34 Policy for Carrying Out
Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
DATA PROTECTION CORPORATE POLICY
DATA PROTECTION CORPORATE POLICY Information Management V1.1 03 July 2012 Not protectively marked This policy must be complied with fully by all Members, Officers Agents and Contractors of Plymouth City
Data Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
Information Assurance Policies and Guidance. Information Governance Policy. Document Version: v0.5 Review Date: 1 May 2016
Information Assurance Policies and Guidance Information Governance Policy Document Version: v0.5 Review Date: 1 May 2016 Owner: Information Governance Manager 1 P a g e Document History Revision Version