Human Resources Procedure

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Human Resources Procedure"

Transcription

1 Human Resources Procedure POLICY AND PROCEDURE Data Protection Procedure and Code of Practice VERSION NUMBER 1.0 APPROVING COMMITTEE SMT DATE OF APPROVAL 10 June 2014 EQUALITY IMPACT ASSESSMENT 6 June 2014 REVIEW DATE June 2017 RESPONSIBLE PERSON Director Organisational Development and HR

2 Data Protection Procedure and Code of Practice Data Protection Procedure 1. Introduction The Data Protection Act 1998 ( the DPA ), which implements EU Directive 95/46/EC, regulates the processing of information relating to individuals ( personal data ), including the obtaining, holding, use or disclosure of such personal data. West College Scotland ( the College ) holds a wide range of personal data about individuals such as its employees, students, former students and others (who are defined as data subjects in the DPA) to allow it to carry out many of its functions, for example, organising and operating courses, complying with legal obligations, e.g. health and safety and recruiting, managing and paying staff. This procedure applies to all processing of personal data for the College s purposes, by staff, students and others, regardless of where the personal data is held or who owns electrical equipment which is used to automatically process personal data. Personal data must be processed in accordance with the DPA and, in particular, the Data Protection Principles set out in schedule 1 to the DPA. 2. Status of this Procedure This procedure is not contractual and will be subject to amendment by the College from time to time. Staff and students are expected to abide by the policy that is in place at any particular time. Any failure to follow the policy may result in disciplinary proceedings. This procedure is directed from and endorsed by the Board of Management. Page 2 of 33

3 3. Definitions Data is defined in the DPA as information which: (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should be processed by means of such equipment; (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68 of the DPA; or (e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d) Data controller is defined in the DPA as a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed. Data processor is defined in the DPA as any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Data subject is defined in the DPA as the individual who is the subject of personal data. Personal data is defined in the DPA as data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Page 3 of 33

4 Relevant filing system is defined in the DPA as any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. Sensitive personal data is defined in the DPA as personal data consisting of information as to (a) the racial or ethnic origin of the data subject, (b) his or her political opinions, (c) his or her religious beliefs or other beliefs of a similar nature, (d) whether he or she is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) his or her physical or mental health or condition, (f) his or her sexual life, (g) the commission or alleged commission by him or her of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such proceedings or the sentence of any court in such proceedings. Processing is defined in the DPA as the obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data, including (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data. Page 4 of 33

5 4. Principles The eight Data Protection Principles are: 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 5. The Data Controller Page 5 of 33

6 The College is the Data Controller under the DPA. 6. Data Protection Officer The College s Data Protection Officer is the Director Organisational Development and HR. The College Data Protection Officer can be contacted at or on or Any questions or concerns about the interpretation or operation of this procedure should be taken up with the Data Protection Officer. 7. Responsibilities of staff, students and others who provide personal data to the College All staff, students and others who provide personal data to the College are responsible for ensuring that the personal data they provide to the College is accurate at the time it is given, and for informing the College of any changes to the personal data that they have provided to it, e.g. change of address. The College cannot be held responsible for any errors in the personal data it holds unless the staff member, student or other individual informs the College of such changes. 8. Staff and others who process personal data in respect of which the College is the Data Controller All staff and others who process personal data in respect of which the College is the Data Controller are responsible for ensuring that they process personal data in accordance with this policy, with the eight data protection principles and with the other requirements of the DPA. 9. Students who process personal data in respect of which the College is the Data Controller Students who process personal data in the course of their studies in respect of which the College is the Data Controller must only process that personal data in accordance with the instructions given to them by their supervisor or tutor. Students who process personal data in respect of which the College is the Data Controller must ensure that they process personal data in accordance with this policy, with the eight data protection principles and with the other requirements of the DPA. Page 6 of 33

7 10. Data security All staff and students are responsible for ensuring that: any personal data that they hold is kept securely; and personal data is not disclosed orally, in writing or via web pages or by any other means, intentionally or otherwise, to any unauthorised third party. Further guidance on how to keep personal data securely is found in the College s Data Protection Code of Practice. In particular: Filed personal data must be kept in a locked cabinet, drawer, or safe; Where personal data is held on computer, access to the computer must be via a secured login using a complex password that is reset at regular intervals. In addition, where personal data is held on a laptop computer, the laptop itself must be kept physically secure while in transit or while not in use. Computerised personal data should be backed-up regularly. Wherever possible, taking personal data off-site should be avoided. In particular, sensitive personal data should never be removed to an off-site location unless this is absolutely necessary and there is no other alternative. Unauthorised disclosure of personal data is a disciplinary matter and may be considered gross misconduct in some cases. 11. Rights to access personal data The DPA gives a data subject a right to make a subject access request: to be informed of whether his or her personal data is being processed by the College; to be given a description of his or her personal data, the purposes for which the College processes or will process his or her personal data and the recipients to whom his or her personal data may be disclosed; Page 7 of 33

8 to have given to him or her in an intelligible form the information which constitutes his or her personal data, and any information the College has as to the source of his or her personal data; and where his or her personal data is computerised and processed by the College for the purpose of evaluating matters relating to him or her, e.g. his or her performance, and is likely to constitute the sole basis for any decision affecting him, to be informed of the logic involved in the decision making. Staff must notify the Data Protection Officer of any subject access request as soon as it is received. All subject access requests must be responded to by the College within the timescale set down in the DPA (currently 40 calendar days). The College will normally charge the prescribed maximum fee (currently 10) on each subject access request it receives. Wherever possible, a Subject Access Request Form should be completed. The College cannot insist upon this under the DPA, but it will assist in the identification and locating of personal data, and should be used where the data subject agrees. The College will, upon receiving a valid subject access request under the DPA, provide a data subject with access to their personal data, subject to the application of relevant exemptions in the DPA and the protection of the rights of other data subjects. Notwithstanding the provisions of the DPA, the College has resolved that a member of staff may inspect their personal file under supervision in the Human Resources Department if they make a prior request in writing to the Director Organisational Development and HR giving 2 working days notice. No copies of any documentation may be taken. This does not affect the rights of staff under the DPA to make a subject access request. 12. Examination marks and scripts The College will routinely provide students with information about their marks for coursework and examinations during the course of their studies. Page 8 of 33

9 Examination scripts are exempt from the subject access provisions in the DPA and will not ordinarily be provided to a student who requests them. However, it should be noted that examiners comments written on the scripts may well fall within the definition of personal data, particularly if commenting directly on the student, and are not exempt from the subject access provisions. 13. Data transfer Where personal data is transferred internally, the recipient must only process the personal data in a manner consistent with the College s notification with the UK Information Commissioner s Office, and within the original purpose for which the personal data was collected. Personal data is not to be published on the internet without the express permission of the Data Protection Officer. 14. Processing sensitive personal data From time to time it is necessary for the College to process personal data which relates to an individual s health, criminal convictions, race, or trade union membership etc, which constitutes sensitive personal data under the DPA. More information about this is available from the Data Protection Officer. 15. Publication of personal data The names of senior managers and governors of the College will be published in the Annual Accounts and on the public website where there is any legal requirement to make such personal data public. Certain personal data relating to College staff will be made available via searchable directories on the public website, in order to meet the legitimate needs of visitors and enquirers seeking to make contact with appropriate staff. The College will make available the minimum personal data that is necessary to meet those legitimate interests. More information can be found in the College s Data Protection Code of Practice. Page 9 of 33

10 Where the College proposes to publish any further personal data of senior managers and members of the Board of Management, or any personal data of other individuals, the College will seek the consent of the individual. 16. Retention of personal data The College has a duty to retain some staff and student personal data for a period of time following their departure from the College, mainly for legal reasons, but also for other purposes such as being able to provide references and academic transcripts, or for financial reasons, for example, relating to pensions and taxation. Different categories of personal data will be retained for different periods of time. The exact details of retention periods and purposes are set out in the College s Data Protection Code of Practice. 17. Data protection and references Confidential references that are given by the College are exempt from the subject access provisions of the DPA in relation to any request made to the College. However, references that are received by the College from another person are not exempt. If the College receives a request for a reference received by it, the College will have regard to the rights under the DPA of the provider of the reference. Page 10 of 33

11 Data Protection Code of Practice 1. Introduction This Code of Practice must be read in conjunction with the College s Data Protection Policy document to give the fullest picture of West College Scotland s data protection regime. This document gives an introduction to some basic points of practice relating to the handling and processing of personal data at West College Scotland. It also lists the particular activities carried out within the College s support and academic departments that involve the processing of personal data. The College uses CCTV for a number of purposes. For further information and guidance on the college s processing of CCTV footage containing personal data, and for details of such processing,please see the College s CCTV Code of Practice available on the College intranet. 2. Key Concepts The Data Protection Act 1998 places an obligation upon West College Scotland, as a data controller, to collect and use personal data in a responsible and accountable fashion. West College Scotland is committed to ensuring that every current employee and registered student complies with this Act to ensure the confidentiality of any personal data held by the College in whatever medium. Key concepts to be considered are those of purpose, fairness, lawfulness, transparency and security, which are all addressed in this Code of Practice. 3. Purpose The Data Controller can only process personal data where they have a clear purpose for doing so and then only as necessitated by that purpose. Paragraphs of this Code of Practice summarise the purposes for which the College processes personal data. Personal data cannot be processed for purposes that have not been defined and declared in the College s Data Protection Register entry (see paragraph 6 below). 4. Fairness and lawfulness West College Scotland must not process personal data unless the processing is fair and lawful and meets certain conditions set down in the Act. For some types of processing the required elements of fairness and lawfulness are clearly outlined in the legislation, but for many others they are not. In such cases, West College Scotland has tried to take a broad Page 11 of 33

12 approach to deciding what is fair and lawful in each case, based on an interpretation of the 1998 Act and in conjunction with advice from the Information Commissioner, the College s own legal advisors, and on wider practice within the UK FE / HE sector. 5. Transparency Members of staff, students and others must be able to feel that there is no intention to hide from them details of how their personal data are collected, used and distributed by the College. One of the functions of this Code of Practice is to provide that assurance. 6. Existing Notifications The Act requires data controllers to notify the Information Commissioner of the purposes for which personal data are processed, together with certain details of that processing. Those notifications are then held on a public register. The College has two existing Register entries for the College and the Students Association that can be examined on-line at the following Web address: 7. It is an offence for the College to hold personal data that falls outside of the classes declared in these notifications or to process personal data for any purposes that are not defined there. It is therefore very important that those who work with personal data in the course of their College duties are familiar with the details contained in these notifications. 8. Any changes that may be required should be passed to the Data Protection Officer as these entries are periodically reviewed and amended as necessary by the Data Protection Officer. 9. Paragraph 6 of the Data Protection Policy gives details of the College s Data Protection Officer, who is responsible for handling subject access requests and dealing with data protection enquiries within the College. 10. Collection of personal data In most cases, the personal data held by the College will be obtained directly from the data subjects themselves. The law stipulates that a privacy notice must accompany any request for personal data. Any members of staff responsible for managing the collection of personal Page 12 of 33

13 data for the legitimate activities of the College must ensure that a notice containing the following information is included in the request for that data: A statement that West College Scotland is the data controller The name and/or job title of the specific member of staff responsible for the administration of the personal data being collected, to enable, for example, subsequent amendments to be submitted by the data subject A clear explanation of the types of data being collected and the purposes for which that data will be processed Any further information that is considered necessary to ensure that the data processing can be described as being fair, for example details of any third parties to whom the data might be disclosed A statement making it clear that by submitting the personal data, the data subjects are giving their consent for the processing of the data for the stated purposes to take place. 11. Amendment of personal data From time to time data subjects will wish to update some of their personal data held by the College, for example their home addresses or other contact details previously submitted. To do this, the data subjects must either contact the specific member of staff designated in the data protection notice at the time the data was submitted, or the appropriate Data Protection Officer as set out in paragraph 6 of the Data Protection Policy. Proof of identity will be required before any amendments can be made. 12. As and when self-service computer-based support systems are introduced for staff, students or others, the data subjects themselves will be responsible for the maintenance of certain elements of their personal records. 13. These systems will incorporate the necessary authentication and security mechanisms to ensure that data subjects are only able to view and amend their own data. Page 13 of 33

14 14. Security of personal data Of fundamental importance within any data protection regime is the security of the personal data that is being processed. Data subjects have the right to expect that their personal data will be kept and processed securely and that no unauthorised disclosures or transfers will take place to anyone either within or outside the College. Authorised disclosures or transfers are those that are defined within the appropriate Notifications (see paragraphs 6 9 above) and declared to the data subject either at the point of data collection or subsequently, the necessary consent for disclosure or transfer having been obtained if required. 15. To help ensure the security of personal data within the College, all those in West College Scotland who process personal data in the course of performing their duties are required to follow the general guidelines set out below. 16. Secure processing of personal data Each member of staff who, in the course of performing their legitimate duties, processes personal data, whether in electronic or paper format, must take reasonable precautions to ensure the safety and privacy of that data, in line with the Data Protection Procedure. For example: Filed personal data must be kept in a locked cabinet, drawer, or safe; Where personal data is held on computer, access to the computer must be via a secured login using a complex password that is reset at regular intervals. Where personal data is held on a laptop computer, the laptop itself must be kept physically secure while in transit or while not in use. There are many ways to secure this type of device e.g. propriety security cable, locked filing cabinet, drawer, or safe. Individual circumstance will dictate. It is important that a regular and secure backup schedule is applied to personal data If personal data is transferred to any type of removable storage media, that media must itself be kept secure while not in use. The copy of the personal data must be permanently deleted from the storage media as soon as it is no longer needed. Page 14 of 33

15 In open-plan offices, computer screens that could potentially be displaying personal data should not be positioned such that unauthorised staff may readily see that data. Screen locking should be invoked when a user with access to any type of personal data leaves the desk \ computer unattended for a short period. Log off and shut down are appropriate for longer periods away from the computer. Personal data in manual form, such as in paper files, correspondence or database printouts, should not be left in view in open-plan offices while the relevant staff members are away from their desks. They should instead be locked away or at least covered; Where manual records containing personal data are accessible to a number of staff in the course of their legitimate activities, access logbooks should be used where practicable to help monitor the whereabouts and use of such records. 17. Ordinarily, personal data should never be stored at staff members homes, whether in manual or electronic form, at remote sites. 18. In cases where off-site processing is felt to be necessary or appropriate, the agreement of the relevant member of the Senior Management Team must be obtained, and all the security guidelines given in this document must still be followed. 19. Staff should be aware that log files will record details of all users who access, alter or delete or attempt to access, alter or delete centrally held computerised databases and files containing personal data. The disclosure and transfer of personal data 20. Authorised and unauthorised disclosures Staff members who process personal data on behalf of the College will be made aware by their line managers or other appropriate staff of the purposes for which the data is processed and the legitimate parties either within or outside West College Scotland to whom that data, either in whole or in part, may be disclosed or transferred. Staff should Page 15 of 33

16 also familiarise themselves with the College s Data Protection Register entry (see paragraphs 6-9 above) which includes details of the purposes for which personal data is processed, and the recipients to whom the College may disclose certain classes of personal data. Any queries about whether personal data can be processed in a particular way should be addressed to your line manager or the Data Protection Officer. 21. Personal information must not be disclosed either orally or in writing or via Web pages or by any other means, manual or electronic, accidentally or otherwise, to any unauthorised third party. 22. Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases. 23. Security of data during transfer Where personal data is transferred between staff members within the College in the course of their legitimate activities, the level of security appropriate to the type of data and anticipated risks should be applied. For example, sensitive personal data should either be transferred by internal mail in sealed envelopes or by hand. If transferred by , it should be sent in a password-protected attachment, with the password being supplied separately. Further advice on password protecting documents can be obtained from IT Department. 24. Disclosures outside the College When a request to disclose or amend personal data held by the College is received from an individual or organisation outside the College, in general no data should be disclosed or amended unless the authority and authenticity of the request can be established. Disclosures requested by those claiming to be relatives or friends of the data subject should be refused unless the consent of the data subject is obtained for such disclosures or in one of the few situations where disclosure without consent is permitted by the law. Such requests should be forwarded to the Data Protection Officer to respond to. 25. Requests for the disclosure of personal data from the Police, Government bodies, the British Council or other official bodies and agencies should be investigated sufficiently to Page 16 of 33

17 verify the authenticity of the request and may then be acted upon if there is a legal requirement for such disclosure or the consent of the data subject has been given for the disclosure. Such requests should be forwarded to the Data Protection Officer to respond to. 26. Details of any specific procedures and practices to be adopted when responding to requests for disclosure in individual departments within the College will be available from the appropriate senior members of staff. Publication of College Information 27. While the majority of personal data held by the College is processed for internal support purposes and is never disclosed outside the institution, some categories of personal data are routinely or from time to time released through one or more forms of publication. This personal data could be published on the public Web site or in college publicity materials such as the annual prospectus. Noted below in paragraphs 29 to 31 are the anticipated areas where such data may be published. 28. Legal obligations When required by law the names of Senior Managers and members of the Board of Management of the College and certain other personal data relating to employees and Governors are published on the Web site. The College also fulfils all obligations placed upon it by its relationship with various funding bodies, Government Agencies and the like with regard to the release of personal data and statistical information concerning students and staff. Data subjects are informed of the College s obligations in this respect at the time the data is collected. 29. Staff Directory In order to meet the legitimate needs of visitors and enquirers to be able to make contact with appropriate staff, the College may at some future date make available on its public Web site a directory containing the job title, organisational unit, title, forename, surname, office telephone number, office room number and location and office address of each staff member. A complete directory is currently available on the College intranet and is only available to current staff. At the time of appointment or at the point the personal data Page 17 of 33

18 is made available via the directory for the first time, each individual member of staff will be asked to consent to this personal data appearing in the directory in its various formats. At any time (via a request to the Data Protection Officer) each individual member of staff will be able to request that their personal data, or any part of their personal data will not appear in this public directory. The Web-based public directory will be searchable by name and organisational unit and will only return personal data for those staff that have given their consent for this disclosure. 30. Staff personal data on Web pages Apart from the staff directory described above, staff biographical details or other personal data may be published on West College Scotland s Web sites or in other media, but only where the staff concerned have given their consent for such information to be made publicly available. However, publication in this way does not mean that such data can be reproduced without permission. West College Scotland retains control and copyright of such data and the data must not be reproduced or further processed without the College s express permission. 31. Student personal data on Web pages Apart from the obligations mentioned above (paragraph 28) the College will not ordinarily reveal any personal data of students enrolled at West College Scotland to any individual or body outside the College. It may also be the case that students enrolled on certain courses may produce Web-based material containing personal data as part of their course work. In such cases, responsibility for such disclosures rests entirely with the individual students concerned and is not indicative of any College-wide policy. Where a student is concerned with the release of personal data they should either contact their tutor for advice or contact the Data Protection Officer ( Retention and Disposal of Personal Data 32. The retention of personal data The College has a duty to retain some staff and student personal data for a period of time following their departure from the College, mainly for the purposes of being able to provide references and academic transcripts, or for financial reasons, for example relating to Page 18 of 33

19 pensions and taxation. Some material will also be retained to form part of the official College archive. The retention periods selected follow the guidance given in the JISC publication Study of the Records Life Cycle, Different categories of data will be retained for different periods of time, and these are set out in the following table. 33. The disposal of personal data When a record containing personal data is to be disposed of, the following procedures will be followed: All paper or microfilm documentation containing personal data will be permanently destroyed by shredding or incinerating, depending on the sensitivity of the personal data. All computer equipment or media that are to be sold or scrapped will have had all personal data completely destroyed, by re-formatting, over-writing or degaussing. 34. Employees and, where appropriate, students, will be provided with guidance as to the correct mechanisms for disposal of different types of personal data and audits will be carried out to ensure that this guidance is adhered to. In particular, employees and students will be made aware that erasing/deleting electronic files does not equate to destroying them. Type of Record Minimum Retention Period Reason for Length of Period Personnel files including training records, notes of disciplinary and grievance hearings, and appraisal forms Letters of reference 6 years from the end of employment Certain personal data may be held in perpetuity 6 years from the end of employment, by the author of the reference letter References and potential litigation Selected material will form part of the official College Archive References and potential litigation Page 19 of 33

20 Type of Record Minimum Retention Period Reason for Length of Period Application forms/interview notes At least 6 months from the date of the interviews Time limits on litigation Facts relating to redundancies where fewer than 20 redundancies 6 years from the date of redundancy As above Facts relating to redundancies where 20 or more redundancies Income Tax and NI Returns, including correspondence with tax office Statutory Maternity Pay records and calculations Statutory Sick Pay records and calculations 12 years from the date of the redundancies At least 3 years after the end of the financial year to which the records related As above As above Limitation Act 1980 Income Tax (Employment) Regulations 1993 Statutory Maternity Pay (General) Regulations 1986 Statutory Sick Pay (General) Regulations 1982 Wages and salary records 6 years Taxes Management Act 1970 Accident books, and records and reports of accidents 3 years after the date of the last entry Social Security (Claims and Payments) Regulations 1979; RIDDOR 1985 Health Records During employment Management of Health and Safety at Work Regulations Health Records where reason for termination of 3 years Limitation period for personal injury claims Page 20 of 33

21 Type of Record Minimum Retention Period Reason for Length of Period employment is connected with health, including stress related illness Medical records kept by reason of the Control of Substances Hazardous to Health Regulations years The control of Substances Hazardous to Health Regulations 1999 Applicant records for those who are rejected or who decline an offer No more than 4 months after the start of the academic year Permits institution to handle enquiries from the data subject Student records of those not completing enrolment Within one academic year Permits institution to handle delayed enrolments Student records, including enquiries, applications, admissions, assessment, awards, attendance and conduct At least 6 years from the date that the student leaves the institution, in case of litigation for negligence At least 10 years for personal and academic references Certain personal data may be held in perpetuity Limitation period for negligence Permits institution to provide references for a reasonable length of time While personal and academic references may become stale, some data e.g. transcripts of student marks may be required throughout the student's Page 21 of 33

22 Type of Record Minimum Retention Period Reason for Length of Period future career. Upon the death of the data subject, data relating to him/her ceases to be personal data. Some selected material will form part of the official College Archive. Records documenting the formulation of plans for the implementation of the institution's finance strategy. Superseded + 10 years Records documenting the conduct and results of financial audits, and action taken to address issues raised. Last action on audit + 6 years 1973 Prescription and Limitation (Scotland) Act 1973 Records documenting all financial transactions. Records documenting Invitations to Tender and tender evaluation criteria. Records documenting the arrangement and renewal of insurance policies to meet defined requirements Current financial year + 6 years Termination of supply contract awarded + 6 years Commencement of policy + 40 years OR Renewal of policy + 40 years 1973 Prescription and Limitation (Scotland) Act Prescription and Limitation (Scotland) Act 1973 NA Page 22 of 33

23 Type of Record Minimum Retention Period Reason for Length of Period and legal obligations: employers' liability insurance. Subject Access Requests 35. All staff, students, applicants and other data subjects have a right under the Act to access personal data being kept about them at West College Scotland either on computer or in paper files. Any person who wishes to exercise this right should complete the Subject Access Request Form in Annexe 1 and submit it to the Data Protection Officer. 36. The College will make a charge of 10 on each occasion that access is requested, although the College has discretion to waive this. 37. The College will comply with requests for access to personal information promptly, but will ensure that the information is provided within 40 days, as required by the Act. 38. Students and former students should be aware that exam scripts are exempted from the subject access rules and copies will not ordinarily be given to those who make a subject access request. However, a copy or summary of both internal and external examiner s comments can be requested as part of a subject access request. If such a request is made before the results of the examination are announced, the College will provide the information within 5 months of the request being received or 40 days from the announcement of the result, whichever is the earlier, as required by the Act. The Processing of Personal Data within Specific Departments Activities involving the processing of personal data 39. Listed In the following sections are categories of activities carried out within each of the specified organisational units within the College that involve the processing of personal data. It is the responsibility of the appropriate Managers to ensure that sufficiently detailed Page 23 of 33

24 guidance is given to their staff to enable them to carry out these activities in accordance with the requirements of the Act. 40. Faculties Admissions administration Enquiries administration Faculty staff and function lists Examination administration and marking Staff management (includes development records, leave records etc) Student assessment activities Teaching activities and administration Teaching performance/assessment/review activities Student disciplinary activities 41. IT Department Department staff and function lists Staff directory maintenance Staff management (includes development records, leave records, etc) Student and staff support activities and records/help Desk Systems administration (MIS, , back-up/ storage, authentication, system logs, etc) Telephone system administration 42. Secretary to the Board of Management Archives management Corporate planning and management activities Governance activities (Committees, maintenance of the Register of interests of Board of Management and senior support staff, etc) 43. Estates CCTV Department staff and function lists Estates and Facilities management and letting Help desk administration Page 24 of 33

25 Mail system administration Security/access control systems and records Staff management (includes development records, leave records etc) 44. Marketing / Alumni relations management Department staff and function lists Events/conference administration Fundraising activities/donor administration etc Graduation ceremonies administration Mailing list administration and use Marketing Market research News/press release activities/public relations Other publication activities Staff management (includes development records, leave records etc) 45. Finance Archives management Department staff and function lists Financial management and accounting Payroll administration Grants administration Staff management (includes development records, leave records etc) Supplier/order/invoice administration 46.Organisational Development and HR Archives management Data protection administration Department staff and function lists Employee relations management Records or monitoring in accordance with the Equality Act 2010 Staff development and support activities/administration Page 25 of 33

26 Staff records administration Health and Safety activities and administration Staff management (includes development records, leave records, expenses records, etc) Staff recruitment Pension scheme administration Disclosure Scotland administration Payroll administration 47. Library Departmental staff and function list Loan and inter-library loan administration Security/access control systems and records Staff management (includes development records, leave records etc) Systems administration (catalogue, back-up/ storage, authentication, system logs, etc) 48. Quality, Management Information Services & Student Advisory Service Admissions administration Archives management Assessment administration Awards administration Department staff and function lists Enquiries administration Returns activities Staff management (includes development records, leave records etc) Student records administration, including disability information Student support activities 49. Students Association Clubs and Societies activities and administration Student support activities Union officers/staff and function lists Page 26 of 33

27 50. Nurseries Admissions admin Assessment admin Staff management etc Children records Child protection records Page 27 of 33

28 Annex 1 West College Scotland Subject Access Request Form 1. Details of the person requesting the information. Full name: Address: Telephone number: Fax Number: 2. Are you the Data Subject? YES If you are the Data Subject please supply evidence of your identity i.e. passport, driving licence, birth certificate (or photocopy). We recommend if sending originals by post you use recorded delivery. We will return any originals you send us by recorded delivery, or you can arrange to collect in person. Please also state your relationship to West College Scotland: I am a current/former member of staff I am a current/former student I am neither of the above Please now go to question 5. Page 28 of 33

29 NO Are you acting on behalf of the Data Subject with their written authority? If so, that authority must be enclosed. Please also state the relationship of the Data Subject to West College Scotland: The Data Subject is a current/former member of staff The Data Subject is a current/former student The Data Subject is neither of the above Please now go to questions 3 and Details of the Data Subject (if different from 1.) Full name: Address: Telephone number: Fax Number: 4. Please describe your relationship with the Data Subject that leads you to make this request for information on their behalf. Page 29 of 33

30 5. If you wish to see only certain specific personal data, for example that contained in a particular examination report, a specific departmental file etc, please describe these below: 6. If you would like a more general search, please note that the College is able to search the following sections for personal data. Please indicate the sections that you would like searched: Student Records Human Resources Library Finance Teaching section files and information systems Please specify which Faculty: Other Support Department files and information systems Please specify which Support section(s): Page 30 of 33

31 7. Declaration I certify that the information given on this application form is true. I understand that it is necessary for the College to confirm my/the Data Subject s identity and it may be necessary for more detailed information to be obtained in order to locate the correct information. Signed: Date: Please return the completed form to the Data Protection Officer at the address given below: West College Scotland, Queens Quay, Clydebank, G81 1BF or Documents which must accompany this application are: evidence of your identity evidence of the Data Subject s identity (if different from above) evidence of the Data Subject s consent to disclose to a third party (if required as indicated above) a fee of 10 (cheques to be made payable to West College Scotland) Please note that in responding to your request the College may withhold personal data under the terms of the Data Protection Act Office use only Request received: Date completed: Page 31 of 33

32 Notes: Page 32 of 33

33 EQUALITY IMPACT ASSESSMENT Name of policy/procedure/decision: Data Protection Procedure and Code of Practice. Provide a brief summary of the aims of the policy/procedure/decision and main activities: This Procedure and Code sets out the procedure for the processing of personal data by West College Scotland. It has been developed to ensure that College processes comply with the Data Protection Act (DPA) and the Data Protection Principles. Assessed By: Clare Fraser Date: 6 June 2014 This stage establishes whether a policy, procedure or decision will have a differential impact from an equality perspective on people who share protected characteristics or whether it is equality neutral (i.e. have no effect either positive or negative). The protected characteristics are: age, disability, gender reassignment, pregnancy or maternity, race, religion or belief, sex and sexual orientation. 1. Who will benefit from this (students/staff/stakeholders)? Is there likely to be a positive impact on people who share protected characteristics, and if so, how? Or is it clear at this stage that it will be equality neutral? i.e. will not have a differential impact on any equality group/s? This Procedure should benefit all staff and students as it should increase confidence in how WCS processes personal data. There will be particular benefits for people who share the protected characteristics of race, disability and religion or belief as information relating to these characteristics is defined by the DPA as sensitive personal data. Accordingly, there are additional measures in place to ensure that such information is processed sensitively and confidentially. 2. Is there likely to be an adverse impact on people who share protected characteristics? If so, who may be affected and why? Or is it clear at this stage that it will be equality neutral? This policy has been developed to comply with UK law and will not have an adverse impact on people who share protected characteristics. 3. What action will you take to ensure that you are monitoring the impact of this policy? Monitoring of this policy will take place through student complaints and HR grievances data. Page 33 of 33

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will:

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will: Data Protection Policy Introduction. Team Bees is required to maintain certain personal data about living individuals for the purposes of satisfying operational and legal obligations. Team Bees recognises

More information

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY Introduction 1. Looe Community Academy Trust (the Academy) is required to maintain certain personal data about living individuals for the purposes of

More information

Data Protection Policy and Code of Practice

Data Protection Policy and Code of Practice Data Protection Policy and Code of Practice October 2015 Reviewed and approved by Sentamu Academy Learning Trust Board of Directors on 19 th October 2015 0 Sentamu Academy Learning Trust DATA PROTECTION

More information

Data Protection Policy

Data Protection Policy Data Protection Policy January 2016 Next Review Due: January 2017 Co-ordinator: Miss M Rudge/Mrs J McColl 1 ACADEMY DATA PROTECTION POLICY POLICY DATE: JANUARY 2016 REVIEW DATE: JANUARY 2017 Introduction

More information

Data Protection Policy and Code of Practice

Data Protection Policy and Code of Practice Data Protection Policy and Code of Practice DATA PROTECTION POLICY and Code of Practice Contents Page Data Protection Policy 2. Introduction Status of this Policy The Data Controller and the Designated

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the

More information

Data protection policy

Data protection policy Data protection policy Introduction The College is required to keep certain information about employees, students and other users to allow it to monitor performance, achievements, health and safety, recruitment

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

Data Protection Policy and Procedure

Data Protection Policy and Procedure Data Protection Policy and Procedure INTRODUCTION West Nottinghamshire College is committed to preserving the privacy of its students and employees and to complying with the Data Protection Act 1998. To

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

The Manchester College

The Manchester College The Manchester College The Manchester College Produced by TMC Prin DataProtect pol v1 11/2010 All rights reserved; no part of this publication may be photocopied, recorded or otherwise reproduced, stored

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

HUMAN RESOURCES POLICIES & PROCEDURES

HUMAN RESOURCES POLICIES & PROCEDURES HUMAN RESOURCES POLICIES & PROCEDURES Policy title: Data protection policy Application: All employees CONTENTS PAGE Introduction 2 Status of the Data Protection Policy 2 Notification of data held and processed

More information

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Data Protection Procedure

Data Protection Procedure Data Protection Procedure [QP2.28] Procedure Number: QP2.28 Revision Number: 3 Date of issue: January 2006 Status: Approved Date of approval: May 2006 Responsibility for procedure: Director of Information

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007 East Northamptonshire Council Policy & Community Development Data Protection Policy December 2007 If you would like to receive this publication in an alternative format (large print, tape format or other

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY [Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Data Protection Policy

Data Protection Policy 1. Introduction 1.1 The College needs to keep certain information about its employees, students and other stakeholders, for example to allow it to monitor performance, achievements and health and safety.

More information

E-SAFETY POLICY 2014/15 Including:

E-SAFETY POLICY 2014/15 Including: E-SAFETY POLICY 2014/15 Including: Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection Data Security, awareness raising Acceptable

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Rev No. 0 New Document 1 2 3 4 5 6 7 Revision Status Details of Amendments Name Date Update of College DPA statement New Reference to Appendix 4 Staff Guidelines ESF document retention

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES

SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES 1 1 Definitions In these conditions:- We means Scotland s Commissioner for Children and Young People,

More information

CIPFA DATA MANAGEMENT POLICY AND PROCEDURES

CIPFA DATA MANAGEMENT POLICY AND PROCEDURES INTRODUCTION These Policies and Procedures apply to all CIPFA volunteers that have access to, use, store and share significant amounts of personal data. It is critically important that this data is handled

More information

This guide is a condensed version of the definitive The Data Protection Act 1998 and Market Research which all members are urged to read.

This guide is a condensed version of the definitive The Data Protection Act 1998 and Market Research which all members are urged to read. A basic guide to the Data Protection Act 1998 October 2002 INTRODUCTION This guide is a condensed version of the definitive The Data Protection Act 1998 and Market Research which all members are urged

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

ILM Factsheet Dealing with data under the Data Protection Act 1998

ILM Factsheet Dealing with data under the Data Protection Act 1998 Prepared for ILM by Lester Aldridge Introduction Key issues for Charity Legacy Departments The Data Protection Act 1. What sort of information is protected by the Data Protection Act? 2. Is my charity

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

The Chafford School. Data Protection and Freedom of Information Policy

The Chafford School. Data Protection and Freedom of Information Policy The Chafford School Data Protection and Freedom of Information Policy INDEX Aims & Objectives... 3 Data Protection The law... 3 Processing, storing, archiving and deleting personal data: Guidance... 3

More information

EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998. Contents

EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998. Contents EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998 Contents 1. Introduction Page 2 2. The Data Protection Act 1998 Page 2 3. Review of data used in College departments Page 3 4. Security

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

West Sussex County Council. Guidance on Information Law for Schools

West Sussex County Council. Guidance on Information Law for Schools This guidance recognises that schools already deal with a great variety and number of requests for information and provides a straightforward approach to compliance with the following legislation: Education

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Page 1 of 10 Table of Contents 1. Points of Contact for this Policy 4 2. Purpose of Data Protection Policy 4 3. Overview of the Data Protection Act 1998 5 4. Confidentiality and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Introduction This policy sets out the framework for a consistent SDS wide approach to handling information relating to identifiable individuals (Personal Data). Skills Development

More information

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information. MANCHESTER METROPOLITAN UNIVERSITY DATA PROTECTION POLICY This policy should be read in conjunction with the Data Protection Guidance, which is attached as: Appendix A Dealing with Personal Data Appendix

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Data Protection and Data security Policy

Data Protection and Data security Policy Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0 PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner

More information

INFORMATION SHARING AGREEMENT

INFORMATION SHARING AGREEMENT University of Essex And Essex Police INFORMATION SHARING AGREEMENT September 2011 Version Published 1 1. INTRODUCTION 2. PURPOSE AND SCOPE OF THIS AGREEMENT 3. BENEFITS OF SHARING THIS INFORMATION 4. AGREEMENT

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,

More information

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school

More information

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each; DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules

More information

Data Protection and Privacy Policy

Data Protection and Privacy Policy Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation.

More information

Data Protection Policy

Data Protection Policy Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014 Contents 1 Purpose... 2 2 Policy...

More information

Human Resources Policy No. HR46

Human Resources Policy No. HR46 Human Resources Policy No. HR46 Maintaining Personal Files and ESR Records Additionally refer to HR04 Verification of Professional Registration HR33 Recruitment and Selection HR34 Policy for Carrying Out

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

DATA PROTECTION ACT POLICY

DATA PROTECTION ACT POLICY DATA PROTECTION ACT POLICY Personal data shall be obtained, maintained, stored, used and passed on only in strict accordance with the Act 1998. KIDS is registered according to the Data Protection Act 1998

More information

Data Protection Policy

Data Protection Policy Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order

More information

IFRS FOUNDATION DOCUMENT RETENTION AND DESTRUCTION POLICY

IFRS FOUNDATION DOCUMENT RETENTION AND DESTRUCTION POLICY IFRS FOUNDATION DOCUMENT RETENTION AND DESTRUCTION POLICY Purpose The purpose of this policy is to provide the IFRS Foundation with a framework to govern management decisions on whether particular documents

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Subject Access Request (SAR) Procedure

Subject Access Request (SAR) Procedure Subject Access Request (SAR) Procedure East and North Hertfordshire Clinical Commissioning Group Page 1 of 16 DOCUMENT CONTROL SHEET Document Owner: Chief Finance Officer Document Author(s): Anne Ephgrave

More information

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees Trafford Council Data Protection Policy, Statement and Guidance for Employees Author Nick Evans Date August 2009 Status Final Version 1.3 Review Date October 2015 Review By Kathryn Wright Next Review October

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Document Management: Date Policy Approved: 29 April 2015 Date Amended: Next Review Date: April 2017 Version: 1 Approving Body: Resources Committee 1 1. Introduction The Data Protection

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

SUBJECT ACCESS REQUEST PROCEDURE

SUBJECT ACCESS REQUEST PROCEDURE SUBJECT ACCESS REQUEST PROCEDURE Document History Document Reference: Document Purpose: IG31 This procedure sets out the responsibility for staff when receiving requests for information provided under

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose

MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY Index: Introduction Information is a Corporate Resource Personal Responsibility Information Accessibility Keeping Records of what we do Ensuring

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

Data Protection Acts 1988 and A Guide to Your Rights

Data Protection Acts 1988 and A Guide to Your Rights Data Protection Acts 1988 and 2003 A Guide to Your Rights :1 Definitions As with any legislation, certain terms have particular meaning. The following are some useful definitions: Data means information

More information

UXBRIDGE COLLEGE EQUALITY AND DIVERSITY POLICY. Person responsible: Director of Learning and Support Services Director of Human Resources

UXBRIDGE COLLEGE EQUALITY AND DIVERSITY POLICY. Person responsible: Director of Learning and Support Services Director of Human Resources UXBRIDGE COLLEGE EQUALITY AND DIVERSITY POLICY Subject: Equality and Diversity Origination Date: September 2002 Last approved: November 2015 Effective date: November 2015 Person responsible: Director of

More information

CCG: IG06: Records Management Policy and Strategy

CCG: IG06: Records Management Policy and Strategy Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of

More information

Data Protection Act a more detailed guide

Data Protection Act a more detailed guide Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Data Protection Guidance

Data Protection Guidance 53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection

More information

Privacy Policy. Approved by: College Board, 01/12/2005 Principal from 14/02/2014

Privacy Policy. Approved by: College Board, 01/12/2005 Principal from 14/02/2014 Privacy Policy Approved by: College Board, 01/12/2005 Principal from 14/02/2014 Revised Date: 11/01/2008 26/08/2011 19/03/2013 14/02/2014 Review Date: 14/02/2016 PLEASE NOTE: Version control for this document

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

Decision 084/2006 Mr Ian Cameron and Aberdeenshire Council

Decision 084/2006 Mr Ian Cameron and Aberdeenshire Council Huntly Nordic Ski and Outdoor Centre Reference No: 200600082 Decision Date: 30 March 2009 Kevin Dunion Scottish Information Commissioner Kinburn Castle Doubledykes Road St Andrews KY16 9DS Tel: 01334 464610

More information

Privacy and Data Protection Policy

Privacy and Data Protection Policy Privacy and Data Protection Policy Policy CP017 Prepared Reviewed Approved Date Council Minute No. Manager Corporate Administration SMT Council 25 February 2016 2016/0032 Trim File: 18/02/01 To be reviewed:

More information

Access to Information: Data Protection and Freedom of Information

Access to Information: Data Protection and Freedom of Information Access to Information: Data Protection and Freedom of Information Records Management Section Data protection: key concepts Personal data Sensitive personal data Data subjects Data protection principles

More information

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy) PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard

More information

Chapter 1 Introduction and guidance for employers

Chapter 1 Introduction and guidance for employers A Thorogood Special Briefing Chapter 1 Introduction and guidance for employers Introduction Subject access request Compliance Changing law The Employment Practices Code Personal data Making access requests

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information