Access to Information: Data Protection and Freedom of Information

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Access to Information: Data Protection and Freedom of Information"

Transcription

1 Access to Information: Data Protection and Freedom of Information Records Management Section Data protection: key concepts Personal data Sensitive personal data Data subjects Data protection principles 1

2 Personal data Day-to-day definition: Any information about an identifiable, living individual, regardless of the format, e.g.: CCTV footage Computer data Paper files Disorganised notes Detailed definition: Sensitive personal data Racial or ethnic origins Political opinions Religious beliefs Trade union membership Physical or mental health Sex life Commission, or alleged commission, of any offence Proceedings for any offence and outcomes 2

3 Data subjects An individual who is the subject of personal data. E.g.: Students Applicants Staff Research participants Customers Data protection principles 1. Fair and lawful processing 2. No incompatible processing 3. Adequate, relevant and not excessive data 4. Accurate and up-to-date data 5. Data kept for no longer than necessary 6. Processed in accordance with the rights of the data subject 7. Security 8. No transfers outside the EEA 3

4 What happens if we get it wrong? Fraud, identity theft, distress Damage to relationships and research access Reputational damage Investigated by the Information Commissioner The University can be fined up to 500,000 The University can be sued Personal criminal offences Unauthorised disclosure Destruction of information required for a request Processing without notification Optical Express slapped over spam text nuisance 4

5 When can we be fined? (1) Serious contravention of the data protection principles by the University or someone acting for it Nature of the information Number of people involved Duration of the breach Extent of the breach For example: Loss of medical records during office move Loss of CD in absence of encryption facilities, procedures, guidance etc When can we be fined? (2) AND likely to cause substantial damage or substantial distress For example: Inaccurate information in an employment reference Exposure to identity fraud Worry and anxiety 5

6 When can we be fined? (3) AND either: The breach was deliberate E.g. collecting information for one stated purpose and using it for another OR must have known or should have known of the risk and failed to take reasonable steps to prevent it E.g. knowing that staff are using sensitive information on laptops and failing to encrypt them What are reasonable steps? Risk assessment Relevant and appropriate polices, procedures, processes, advice and guidance in place and being followed Governance and audit arrangements in place to prevent contraventions Rectifying flaws as soon as they are identified 6

7 Data protection: what you must do 1. Respond to subject access requests within 40 calendar days 2. Tell individuals what you do with information about them 3. Keep personal data securely 4. If you pass data out with the University, follow the policies and procedures, e.g. Model contract clauses Student information Internet publishing Staff Information 5. Use University retention schedules and disposal guidance Subject access requests 40 calendar days to respond 10 statutory fee Co-ordinated by practitioners and Records Management Section Ensure you are not the only person with access to any records Use shared drives Don t keep unnecessary records Be aware that people can ask to see any record Procedures at: 7

8 Collecting personal data Tell data subjects what you do with personal data Privacy notice Only use personal data for the purpose it was collected Meet the processing conditions, e.g.: Consent In pursuit of legitimate interests and does not cause unwarranted prejudice to the data subject More stringent conditions for sensitive personal data Only keep relevant and accurate personal data Marketing Marketing: privacy and electronic communications regulations (PECR) Direct marketing: The communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. Marketing is not just the offer for sale of goods and services, but also the promotion of an organisation s aims and ideals. Collecting contact details for direct marketing: 1. Obtain positive opt-in before sending any messages Think about form design for collecting contact details and optins 2. Provide privacy notice Type of marketing materials you intend to send How you intend to contact recipients Clear opt-out opportunities 8

9 Sending direct marketing communications Clearly identify the sender Traditional letters and telephone calls Screen against the MPS/TPS register Screen against our suppression list Provide a valid address or free phone number to opt-out of further letters and calls , SMS, voic / answer phone messages Obtain opt-in before sending any messages (unless soft opt-in applies) Provide an opt-out on each message Patients medical histories stored on stolen laptop A LAPTOP containing personal details of scores of NHS patients is one of nearly 200 computers either stolen or missing from public bodies in the Lothians. The computer held "extensive" data on the psychiatric and personal histories of participants in a medical study, as well as information on whether they had suffered physical or sexual abuse. Edinburgh Evening News, 25 February

10 University Policy on taking sensitive information and personal data outside the secure computing environment All medium and high risk personal data or sensitive business information must be encrypted if it leaves the University environment Classification of risk Sensitive personal data Medium High High High Fraud or identity theft data Low Medium Medium High Identifiable individual Low Low Medium High 5 9 Individuals Individuals Individuals > 1000 Individuals 10

11 High risk personal data and business information Any set of data relating to individuals Information about 50+ that could be use for fraud or identity theft Information about personal/family lives of 50+ individuals Proposals having a significant impact on 50+ individuals Sensitive personal data relating to 10+ individuals Health records of any identifiable person Security arrangements (whilst still relevant) Changes to high profile strategies, policies and procedures Medium risk personal data and business information Information relating to identifiable research participants Sensitive personal data relating to 1-9 individuals Information about personal/family lives of Information about individuals that could be used for fraud or identity theft Any set of data relating to individuals Information provided in confidence Information that could disadvantage the University s negotiations Proposals having a significant impact on individuals 11

12 Key Principles 1. Avoid using personal data wherever possible 2. Anonymise 3. Use secure shared drive 4. Use remote access facilities 5. If cannot avoid using a mobile device, encrypt Key Principles 6. Do not use personal equipment or third party hosting services 7. Avoid Encrypt Indicate content in title 8. Do not use in public places 9. Take physical security measures 10. Implement University retention and disposal policies 12

13 What do you need to do? Comply with policy Follow guidance Use recommended USB stick Encrypt laptops Take sensible precautions Passwords, autolocking Log out Destroy, don t recycle Know your software Get to know the IT Security website Model contract clauses Why? It is a legal requirement We are responsible for our contractors / suppliers use of personal data If things go wrong, the buck stops with the University How? Cover data protection requirements in the contract Use the appropriate model clauses Procedures at:

14 Disclosing student information Information about students is confidential Disclose only in line with policy/procedures or on decision of relevant head of department Decision is the responsibility of the owner of the data/function Immigration Service Embassies and high commissions Parents have no entitlement to information Do not confirm or deny that someone is a student Tell the student Procedures at: When can I disclose? To the student or their representative With student s consent To University staff for declared purposes Disclosure is required by law e.g. immigration Confirm identity of enquirer Check the law For the prevention or detection of crime Usually Registry Not a fishing exercise Serious offence Get the relevant paperwork Fraud Forward the case to Registry 14

15 Internet publishing Before publishing get consent Written or verbal consent? Appropriate to the risk Allow individuals to manage publication themselves? Ensure information can be quickly removed Procedures at: Disclosing staff information Information about staff is confidential Enquiries for information should be handled in line with policy/procedures or on decision of relevant head of section Do not confirm or deny that someone is a member of staff unless the information is publicly available If in doubt do not disclose the information and seek advice from the Records Management Section Model letters are available Procedures at:

16 When can I disclose? With the staff member s consent Disclosure required by law e.g. HESA, UKBA For the prevention and detection of crime Non-disclosure would prejudice interests Necessary to protect from fraud or misrepresentation To University staff for declared purposes Media enquiries Freedom of information requests Implications for research If promising confidentiality, be specific If using personal data, two options: Completely anonymise the data, or Comply with the Data Protection Act Collect only what you need Inform data subjects what you intend to do with the data Keep and dispose of data securely Identify and implement retention policy for research data 16

17 Implications for teaching Do not collect unnecessary student information Don t share student info outwith the University Use remote access facilities, don t store student information at home or elsewhere Take care where you access and use student info Freedom of information: principal requirements Ten years of FOI requests 0 Year Individual requests Received 440 requests in 2014 Popular topics: expenses, salaries, finance/investments, student population and conduct Publication scheme Must keep up-to-date Must publish in line with obligations Records management Helps to find information 17

18 Individual requests Anyone, anywhere can ask for anything held by the University Any question to any member of staff counts They do not have to cite freedom of information Includes information created by other organisations Cannot ask why they want to know Duty to provide advice and assistance Maximum of 20 working days to respond Must provide information or claim an exemption Exemptions are narrowly drawn Relevant exemptions Information otherwise accessible Research information Commercial interests Trade secret Actionable breach of confidence Breach of the data protection principles Effective conduct of public affairs BUT: Exemptions are narrow and subject to the public interest test 18

19 *Not* exemptions I don t like / don t trust the applicant I m too busy I don t know I can t find the information easily It s embarrassing It looks bad It is bad Good records management 1. Helps you to do your job better 2. Protects you and the University 3. Saves you time 4. Reduces costs 5. Gives you records you can rely on Creating records Organising records Retention and disposal Managing Dos and don ts 19

20 Creating records Consider the purpose of the record Ensure that the record fulfils its purpose Do not create records unnecessarily Document the University s activities Be sure of the facts Provide evidence Is it about an identifiable, living individual? Ensure that the information is relevant, accurate and not excessive Guidance at: Organising records Create files Containing information on the same issues/ responsibility/ transaction Designate a single, lead file or golden copy Storage of records Accessible to all relevant staff Format paper, electronic, microfilm, etc. Irrespective of the format, use the same records management principles 20

21 Filing Scheme LEVEL 1 LEVEL 1 LEVEL 1 LEVEL 2 LEVEL 2 LEVEL 2 LEVEL 2 LEVEL 3 LEVEL 3 LEVEL 3 LEVEL 3 LEVEL 3 LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER 4 level hierarchy: Level 1 = broad categories Levels 2-3 = more refined categories Level 4 = folders to file your records Only file records at level 4 LEVEL 3 LEVEL 4 FOLDER LEVEL 2 LEVEL 1 An example of an electronic filing scheme 21

22 How long should we keep records? Ask your practitioner about your unit s local retention schedule See Records Management Section advice: University retention schedules: Disposal: destruction or transfer to archive Risk assessment Procedures: Creating a retention schedule Duplicate records vs. golden copies Legal or regulatory requirements? Current business processes Document business processes/ decisions taken/ actions carried out for future reference Accountability purposes? Long-term research value?

23 Managing Issues to consider: Work s are University documents Work s may be open to scrutiny is not secure Recommended management techniques: File important s so that they are accessible to others Delete unwanted s When replying, keep the original text as part of your response Set up a separate folder for personal s Guidance at: Records Management Best Practice Do: Organise your records into files Store records in such a way that any other user can readily find relevant information Ensure that work done at home is added into your unit s records systems Mark personal material clearly as such Remember every is a University record Store important information with the relevant file(s) 23

24 Records Management Best Practice Don t: Keep records for any longer than they are needed Keep files that duplicate information held elsewhere in your unit (except to meet short-term operational requirements) Keep University records on personal drives, unless it is highly confidential Keep sensitive University information on your home computer Store information on your c: drive Name folders on shared drives after yourself What does freedom of information mean for you? Use the procedures available to answer requests 24

25 What does freedom of information mean for you? (1) Any request for information must be answered in 20 working days Follow the procedures to avoid complications Keep a record of what you did Contact your local practitioner: If in doubt To refuse a request When it is not in your remit to release this information What does freedom of information mean for you? (2) All documents & s may be open to scrutiny Create clear and professional information Encourage use of Internet Make sure someone can find your information in your absence Preserve & share key information Delete unnecessary information 25

26 Enforcement Complain to the Scottish Information Commissioner Personal criminal offence Destruction of information required for a request Contempt of court Advice and assistance Your local practitioner The Records Management Section

27 Questions? 27

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

Data Protection and Research. Guidance Note

Data Protection and Research. Guidance Note Data Protection and Research Guidance Note 1. Introduction Personal Data used for research purposes by University staff must be dealt with in accordance with the Data Protection Act 1998 and its 8 Data

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Page 1 of 10 Table of Contents 1. Points of Contact for this Policy 4 2. Purpose of Data Protection Policy 4 3. Overview of the Data Protection Act 1998 5 4. Confidentiality and

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

Data Protection Procedure

Data Protection Procedure Data Protection Procedure [QP2.28] Procedure Number: QP2.28 Revision Number: 3 Date of issue: January 2006 Status: Approved Date of approval: May 2006 Responsibility for procedure: Director of Information

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The

More information

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Data Compliance. And. Your Obligations

Data Compliance. And. Your Obligations Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

West Sussex County Council. Guidance on Information Law for Schools

West Sussex County Council. Guidance on Information Law for Schools This guidance recognises that schools already deal with a great variety and number of requests for information and provides a straightforward approach to compliance with the following legislation: Education

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: December 2015 Version: 6.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

INFORMATION SHARING AGREEMENT

INFORMATION SHARING AGREEMENT University of Essex And Essex Police INFORMATION SHARING AGREEMENT September 2011 Version Published 1 1. INTRODUCTION 2. PURPOSE AND SCOPE OF THIS AGREEMENT 3. BENEFITS OF SHARING THIS INFORMATION 4. AGREEMENT

More information

Data Protection Policy

Data Protection Policy Data Protection Policy January 2016 Next Review Due: January 2017 Co-ordinator: Miss M Rudge/Mrs J McColl 1 ACADEMY DATA PROTECTION POLICY POLICY DATE: JANUARY 2016 REVIEW DATE: JANUARY 2017 Introduction

More information

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

Data Protection Workshop: How the Law Affects You Practice Questions

Data Protection Workshop: How the Law Affects You Practice Questions Data Protection Workshop: How the Law Affects You Practice Questions 1. Which of the following is not personal data covered by the Data Protection Act (pick one or more): A. Comments about an individual

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007 East Northamptonshire Council Policy & Community Development Data Protection Policy December 2007 If you would like to receive this publication in an alternative format (large print, tape format or other

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose

More information

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY Introduction 1. Looe Community Academy Trust (the Academy) is required to maintain certain personal data about living individuals for the purposes of

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Policy Procedure. Data Protection Act Contents

Policy Procedure. Data Protection Act Contents Policy Procedure Data Protection Act 1998 New policy number: 351 Old instruction number: MAN:A030:a2 Issue date: 20 April 2004 Reviewed as current: 16 January 2015 Owner: Head of Information and Communications

More information

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will:

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will: Data Protection Policy Introduction. Team Bees is required to maintain certain personal data about living individuals for the purposes of satisfying operational and legal obligations. Team Bees recognises

More information

Data Protection and Community Councils Briefing Note

Data Protection and Community Councils Briefing Note Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY MILNBANK HOUSING ASSOCIATION DATA PROTECTION POLICY LS/NOV.2011/REF.P14 1) INTRODUCTION Milnbank Housing Association recognises that the Data Protection Act 1998 is an important piece of legislation to

More information

DATA PROTECTION ACT POLICY

DATA PROTECTION ACT POLICY DATA PROTECTION ACT POLICY Personal data shall be obtained, maintained, stored, used and passed on only in strict accordance with the Act 1998. KIDS is registered according to the Data Protection Act 1998

More information

START UP LOANS PRIVACY AND DATA PROTECTION TERMS AND CONDITIONS

START UP LOANS PRIVACY AND DATA PROTECTION TERMS AND CONDITIONS START UP LOANS PRIVACY AND DATA PROTECTION TERMS AND CONDITIONS Table of Contents 1. ABOUT THIS POLICY... 3 2. WHO WE ARE AND WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA... 3 3. WHERE WE COLLECT YOUR PERSONAL

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information. MANCHESTER METROPOLITAN UNIVERSITY DATA PROTECTION POLICY This policy should be read in conjunction with the Data Protection Guidance, which is attached as: Appendix A Dealing with Personal Data Appendix

More information

Information Security Policy

Information Security Policy Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

INFORMATION PRIVACY STATEMENT

INFORMATION PRIVACY STATEMENT INFORMATION PRIVACY STATEMENT Victoria Police is bound by the Privacy and Data Protection Act 2014 in how it manages personal information. Victoria Police is committed to protecting the personal information

More information

Non-absolute exemptions (subject to Substantial Prejudice Test and/or Public

Non-absolute exemptions (subject to Substantial Prejudice Test and/or Public EXEMPTIONS to the release or provision of information under Freedom of Information (Scotland) Act 2002 Contents Information Does not have to be Provided Definition of Information Held by the Council Absolute

More information

Information security incident reporting procedure

Information security incident reporting procedure Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Introduction: This policy sets out Northwards Housing obligations under the Data Protection Act (1998) as an organisation that collects personal data on individuals. This policy

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

Data Protection for Charities

Data Protection for Charities Data Protection for Charities CFG 15 May 2014 Overview Overview and key definitions The data protection principles Fair and lawful processing Data security and outsourcing Rights of data subjects Recent

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Introduction This policy sets out the framework for a consistent SDS wide approach to handling information relating to identifiable individuals (Personal Data). Skills Development

More information

Information Security Policy. Appendix B. Secure Transfer of Information

Information Security Policy. Appendix B. Secure Transfer of Information Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document

More information

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

PRIVACY POLICY. comply with the Australian Privacy Principles (APPs); ensure that we manage your personal information openly and transparently; PRIVACY POLICY Our Privacy Commitment Glo Light Pty Ltd A.C.N. 099 730 177 trading as "Lighting Partners Australia of 16 Palmer Parade, Cremorne, Victoria 3121, ( LPA ) is committed to managing your personal

More information

Data Protection Procedures

Data Protection Procedures Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268 Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268 This guidance is suitable for Public Disclosure Owner of Doc:

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the

More information

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school

More information

10 DATABASE PRACTICE

10 DATABASE PRACTICE 10 DATABASE PRACTICE Background Marketers must comply with all relevant data protection legislation. Guidance on that legislation is available from the Information Commissioner's Office. Although data

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

Data Protection Acts 1988 and A Guide to Your Rights

Data Protection Acts 1988 and A Guide to Your Rights Data Protection Acts 1988 and 2003 A Guide to Your Rights :1 Definitions As with any legislation, certain terms have particular meaning. The following are some useful definitions: Data means information

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Contents 1. Policy Statement... 2 2. Background to the Data Protection Act 1998... 2 3. DPA Definitions... 2 4. Responsibilities under the Data Protection Act... 3 5. Notification...

More information

Quick guide to the employment practices code

Quick guide to the employment practices code Data protection Quick guide to the employment practices code Ideal for the small business Contents 3 Contents Section 1 About this guidance 4 Section 2 What is the Data Protection Act? 5 Section 3 Recruitment

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

An overview of UK data protection law

An overview of UK data protection law An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

Data Protection and Privacy Policy

Data Protection and Privacy Policy Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation.

More information

37. Data Protection Act - Registration by Schools

37. Data Protection Act - Registration by Schools 37. Data Protection Act - Registration by Schools The Data Protection Act 1998 has replaced the Data Protection Act 1984. Whereas the 1984 Act only related to personal data that could be automatically

More information

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees Trafford Council Data Protection Policy, Statement and Guidance for Employees Author Nick Evans Date August 2009 Status Final Version 1.3 Review Date October 2015 Review By Kathryn Wright Next Review October

More information

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information

More information

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection for the Guidance Counsellor. Issues To Plan For Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

ILM Factsheet Dealing with data under the Data Protection Act 1998

ILM Factsheet Dealing with data under the Data Protection Act 1998 Prepared for ILM by Lester Aldridge Introduction Key issues for Charity Legacy Departments The Data Protection Act 1. What sort of information is protected by the Data Protection Act? 2. Is my charity

More information

Information Services. Protecting information. It s everyone s responsibility

Information Services. Protecting information. It s everyone s responsibility Information Services Protecting information It s everyone s responsibility Protecting information >> Contents >> Contents Introduction - we are all responsible for protecting information 03 The golden

More information

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011) Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

Data Protection Guidance

Data Protection Guidance 53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection

More information

UNIVERSITY OF ST ANDREWS. EMAIL POLICY November 2005

UNIVERSITY OF ST ANDREWS. EMAIL POLICY November 2005 UNIVERSITY OF ST ANDREWS EMAIL POLICY November 2005 I Introduction 1. Email is an important method of communication for University business, and carries the same weight as paper-based communications. The

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information