Chapter 1 Introduction and guidance for employers

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Chapter 1 Introduction and guidance for employers"

Transcription

1 A Thorogood Special Briefing Chapter 1 Introduction and guidance for employers Introduction Subject access request Compliance Changing law The Employment Practices Code Personal data Making access requests Managing Data Protection Conclusion Further information Technical Guidance notes Detailed Specialist Guidance

2 DATA PROTECTION LAW FOR EMPLOYERS 2008 Chapter 1 Introduction and guidance for employers Introduction The Data Protection Act applies to most employers in the UK. Whether they have registered or notified the Information Commissioner that they hold personal data which is caught by the Act or not, they must still comply with eight data protection principles and ensure they give individuals access to copies of the personal data of those individuals, which is held about them by the employer known in this context as the data controller. This report looks at how the Act affects employers rather than describes the Act in all its provisions. Lots of useful guidance on the Act is contained in the Introduction to the Act published by the IC on the IC s website. The eight data protection principles are that personal data must be: 1. processed fairly and lawfully 2. processed for limited purposes and not in any manner incompatible with those purposes 3. adequate, relevant and not excessive 4. accurate 5. not kept for longer than is necessary 6. processed in line with data subjects rights 7. secure 8. not transferred to countries that do not protect personal data adequately. 6 A THOROGOOD SPECIAL BRIEFING

3 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Subject access requests Employees, just like anyone else, whose personal data is held by someone have a right of subject access under section 7 of the Act to see the data held about them. Many employers find it useful to have a form for this purpose. If inaccurate data is held about someone they have a right to have it corrected and even to obtain a court order to force it to be corrected. There are also rights to sue for damages if loss has been suffered by a data subject arising from a breach of the Act. Compliance It is an obligation of the data controller to comply with the Act. This will be a limited company or could be a sole trader or partnership. However, companies act through their employees and directors, and it will be employees who either ensure the company complies or whose conduct results in a breach of the act. It may be wise to appoint an employee as the data protection compliance officer. For Government bodies the Data Controller is the Secretary of State. For other public organisations, it is usually the organisation itself that is liable. The IC has an Audit Manual on their website which helps companies to check if they comply. The IC has powers to take enforcement action if a breach of the Act occurs. Companies can be forced to change their policies or correct or delete records. Breach of the Act is a criminal offence. Offences include failing to register (notify), not keeping a notification up-to-date, unlawfully obtaining personal data and unlawfully selling the data. There are also rights to sue for damages to obtain compensation if the Act has been breached. Changing law This report looks at the Data Protection Act This brought an EU data protection directive into force in the UK. That directive was agreed in 1996 and in 2003 was being re-examined by the European Commission. It is possible it will be altered. In May 2003, the European Commission adopted the first report on the implementation of the Data Protection Directive. The report notes that the directive has broadly achieved its aim of ensuring strong protection for privacy but A THOROGOOD SPECIAL BRIEFING 7

4 DATA PROTECTION LAW FOR EMPLOYERS 2008 that late implementation by some member states, along with differences in national approaches, has prevented the EU from obtaining the full benefit of the Directive. Information on EU data protection law and documents reporting on progress under the directive is at: The Employment Practices Code This report principally concentrates on the application of the Act in the employment area as the IC construes this through its Employment Practices Code. What is this Code of Practice for? The Code is intended to assist employers in complying with the Act and to establish good practice for handling personal data in the workplace. The Code covers such issues as the obtaining of information about workers, the retention of records, access to records and disclosure of them. Who does data protection cover in the workplace? The Code is concerned with data that employers might collect and keep on any individual who might wish to work, work, or have worked for them. In the Code the term workers is used to cover all these individuals. As such it includes: Applicants (successful and unsuccessful). Former applicants (successful and unsuccessful). Employees (current and former). Agency workers (current and former). Casual workers (current and former). Contract workers (current and former). Some benchmarks will also apply to others in the workplace such as volunteers and those on work experience placements. What data are covered by the Code? It is likely that most information about workers that is processed by an organisation will fall within the scope of the Data Protection Act and therefore within the scope of this Code. 8 A THOROGOOD SPECIAL BRIEFING

5 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Personal data The Code is concerned with personal data. That is, information which: relates to a living person, and identifies an individual either on its own or together with other information that is in the organisation s possession or that is likely to come into its possession. All automated and computerised personal data is covered by the Act. It also covers personal data put on paper or microfiche and held in any relevant filing system. In addition, information recorded with the intention that it will be put in a relevant filing system or held on computer is covered. A relevant filing system essentially means any set of information about workers in which it is easy to find a piece of information about a particular worker. A case called Durant v FSA looked at what this meant. It proposed a temporary secretary test if the temp can be sent to find the manual (ie non computer file) on an individual and can find it then it is likely to be sufficiently part of a structured set to fall within the ambit of the Act. Processing The Act applies to personal data that is subject to processing. For the purposes of the Act, the term processing applies to a comprehensive range of activities. It includes the initial obtaining of personal data, how it is kept and used, any access and disclosure of it and even its final destruction. Sensitive personal data Some particularly important data, such as about people s sexual inclinations or health, is classed as sensitive personal data. It must only be processed if explicit consent has been obtained for the processing. Sensitive data is data about: racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), physical or mental health or condition, A THOROGOOD SPECIAL BRIEFING 9

6 DATA PROTECTION LAW FOR EMPLOYERS 2008 sexual life, commission or alleged commission of any offence, or proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive data found in a workers record might typically be about their: physical or mental health as a part of sickness records disabilities to facilitate adaptations in the workplace, racial origin to ensure equality of opportunity, and trade union membership to enable deduction of subscriptions from payroll. The IC says: In the context of recruitment and selection typical circumstances in which sensitive personal data might be held include: relevant criminal convictions to assess suitability for certain types of employment. disabilities to ensure special needs are catered for at interview or selection testing. racial origin to ensure recruitment processes do not discriminate against particular racial groups. The Act sets out a series of conditions, at least one of which has to be met before an employer can collect, store, use, disclose or process sensitive personal data. The conditions include: The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. Note: This condition can have quite wide application in the context of recruitment and selection. Employers rights and obligations may be conferred or imposed by statute or common law, which in this context means decisions in relevant legal cases. For example, they will include obligations to: 1. Ensure the health, safety and welfare of a worker at work. 2. Select safe and competent workers. 3. Ensure a safe working environment. 4. Not discriminate on the grounds of race, sex or disability. 10 A THOROGOOD SPECIAL BRIEFING

7 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS 5. Ensure the reliability of workers with access to personal data. 6. Protect customers property or funds in the employer s possession. 7. Check immigration status before employment. The IC says: Thus an employer may be able to collect information as to an applicant s criminal record or health in the recruitment process if this can be shown to be necessary to enable the employer to meet its obligations in relation to the safety of its workers or others to whom it owes a duty of care. The collection of sensitive personal data must however be necessary for exercising or performing a right or obligation which is conferred or imposed by law. This condition would not, for example, be satisfied if the employer obtains information on the criminal convictions of all applicants in order to protect its staff or customers if the protection could equally be provided by obtaining this information only on the successful applicant prior to confirmation of appointment. The processing: 1. is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), 2. is necessary for the purpose of obtaining legal advice, or 3. is otherwise necessary for the purposes of establishing, exercising or defending legal rights. Note: The application of this condition in the context of recruitment and selection is quite limited but it might, for example, be relied on to enable a prospective employer to process sensitive personal data to defend him or herself were an applicant to make a claim of unlawful discrimination. The processing: 1. is of information in categories relating to racial or ethnic origin, religious or other beliefs or physical or mental health, 2. is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment, 3. there are safeguards for the data subject. Note: This condition will be relevant to equal opportunities monitoring related to racial origin, religion and disability. Processing must be necessary emphasising that wherever practicable, monitoring should be based on anonymous or aggregated information. A THOROGOOD SPECIAL BRIEFING 11

8 DATA PROTECTION LAW FOR EMPLOYERS 2008 The processing is necessary: 1. for the exercise of any functions conferred on any person by or under an enactment, or 2. for the exercise of any functions of the Crown, a Minister of the Crown or a government department. Note: This condition is most likely to be relevant to public sector bodies that may have specific legal duties placed on them in relation to the qualifications, attributes, background or probity of their workers. It will also be relevant when a public sector body concludes that in order to discharge its wider statutory functions it is necessary for it to process sensitive personal data, such as criminal convictions relating to applicants or, in exceptional cases, their family or close associates. It is likely, for example, to be relevant to the recruitment of police or prison officers. The data subject has given explicit consent to the processing: Note: Employers seeking to rely on this condition must bear in mind that: the consent must be explicit. This means the applicant must have been told clearly what personal data are involved and the use that will be made of them. The applicant must have given a positive indication of agreement (e.g. a signature), the consent must be freely given. This means the applicant must have a real choice whether or not to consent and there must be no significant detriment that arises from not consenting. Importantly the commissioner says: The extent to which consent can be relied upon in the context of employment is limited because of the need for any consent to be freely given. However, in relation to the recruitment and selection of workers this is less of a constraint. Individuals in the open job market will usually have a free choice whether or not to apply for a particular job. If consent to some processing of sensitive data is a condition of an application being considered this does not prevent the consent being freely given. It must of course be clear to the applicant exactly what he or she is consenting to. As recruitment proceeds it becomes less likely that valid consent can be obtained. If, for example, the direct consequence of not consenting is the withdrawal of a job offer the consent is unlikely to be freely given. 12 A THOROGOOD SPECIAL BRIEFING

9 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Making access requests The Act allows for any individual to make a subject access request to any organisation that he or she believes is processing his or her personal data. This request must be in writing, so by letter or . Once an organisation receives such a request it must respond promptly, or at the most within 40 calendar days. There is similar legislation in the Freedom of Information Act This allows anyone, companies as well as individual data subjects, to request information held by public bodies (it does not apply to bodies other than those in the public sector). This requires that such requests be made within 20 days. Many public sector bodies have harmonised their procedures to comply with the DPA and the FOIA and thus provide for a 20 (not a 40) day period. However, companies in the private sector, should stick with 40 days under the DPA. The data controller, in response to a request, must produce copies of the information it holds in an intelligible form. A charge of up to 10 can be made. The 40 day period starts once the organisation has received the fee together with any information it needs to verify the identity of the individual making the request, and to locate the information that the individual seeks. Practical guidance subject access requests Many companies have a form they ask data subjects to complete when making a request so that the company receives all the identification information it needs. It is wise to have such a form ready. Always check the individual is who they say they are before providing information. Never provide information for a spouse about their spouse for example. Consider requesting the applicant to narrow down what they are interested in discovering although all information must be supplied if requested it is often in practice wise to ask what are they particularly after to make the task for finding it easier. There are some exemptions that allow organisations to withhold information. These exemptions can apply in areas such as criminal investigation, management planning such as promotion and transfer plans, and negotiations. The exemptions, though, are limited in their application even within these areas. THIRD PARTY DATA Be careful not to disclose third party data in responding to requests. The IC has guidance on the IC website on subject access and third party data to which reference should be made. A THOROGOOD SPECIAL BRIEFING 13

10 DATA PROTECTION LAW FOR EMPLOYERS 2008 Managing Data Protection Most businesses will need to nominate someone to take charge of data protection in their company. The Information Commissioner suggests standards for managing data protection which are common to all four areas of the employment Code of Practice as follows: Data protection compliance should be seen as an integral part of employment practice. It is important to develop a culture in which respect for private life, data protection, security and confidentiality of personal data are seen as the norm. The benchmarks 1. Establish a person within the organisation responsible for ensuring employment practices and procedures comply with the Act and for ensuring that they continue to do so. Put in place a mechanism for checking that procedures are followed in practice. 2. Ensure that business areas and individual line managers that process information about workers understand their own responsibility for data protection compliance and, if necessary, amend their working practices in light of this. 3. Assess what personal data about workers is in existence and who is responsible for them. 4. Eliminate the collection of personal data that is irrelevant or excessive to the employment relationship. If sensitive data is collected ensure that a sensitive data condition is satisfied. 5. Ensure that workers are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer s policies and procedures. Make serious breaches of data protection rules a disciplinary offence. 6. Allocate responsibility for checking that your organisation has a valid notification in the register of data controllers that relates to the processing of personal data about workers, unless it is exempt from notification. 7. If applicable, consult trade unions or other workers representatives, or workers themselves over the development and implementation of employment practices and procedures that involve the processing of workers data. 14 A THOROGOOD SPECIAL BRIEFING

11 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Notes and examples 1. In a small business, the responsibility might simply be with the owner of the business. Where there is a management structure, responsibility should be allocated to a senior manager in the personnel or human resources function, or someone in a comparable position. Those with overall responsibility must be in a position to feed their knowledge into other areas of the business where information about workers is processed, and to ensure that the organisation has a co-ordinated approach to data protection compliance. Ideally data protection should be seen as an integral part of employment procedures rather than as a stand alone requirement. For example, in the company s written procedure for dealing with selection, there should be a section on how to follow up on references, which should incorporate the relevant benchmarks in this Code. Procedures are only of value if they are current and adhered to. Review and update procedures as necessary and put a mechanism in place to ensure that they are being followed on the ground. This might involve some form of audit or self-certification by managers. 2. It is important to remember that data protection compliance is a multidisciplinary matter. For example, a company s IT staff may be primarily responsible for keeping computerised personal data secure, whilst a human resources department may be responsible for ensuring that the information requested on a job application form is not excessive, irrelevant or inadequate. All workers, including line managers, have a part to play in securing compliance (for example, by ensuring that waste paper bearing personal data is properly disposed of). An employer is liable to pay compensation for damage suffered by an individual as a result of the actions of a line manager in regards to data protection unless it is clear that the line manager has been acting outside his or her authority. Employers can help protect themselves against claims by training line managers and having clear procedures in place. 3. It may be helpful to assess personal data held on workers using the same categories as are used in the various parts of this Code, i.e. personal data processed in connection with recruitment and selection, employment records, monitoring at work and medical information. Consider who in your organisation will be collecting, using, storing and destroying such information. Only when you have ascertained this will you be able to check that your organisation is complying with the Act. A THOROGOOD SPECIAL BRIEFING 15

12 DATA PROTECTION LAW FOR EMPLOYERS When making your assessment of personal data consider if all the information collected on workers is necessary for the employment relationship. For example, information concerning workers lives outside work is unlikely to be necessary. However, it might be legitimate to request information about workers other jobs where there is a justifiable need, for example, in connection with Working Time Regulations, or to request information about their children in connection with an application for parental leave. The collection and use of sensitive data must satisfy a sensitive data condition. 5. Workers should be broadly aware of the legal duties that the Act places on employers and their own role as workers in meeting them. In particular, workers should be aware of how data protection compliance impinges in practical terms on the way they perform their work. It is also crucial to make workers aware of the possible consequences of their actions in this area, e.g. disciplinary action or personal criminal liability. It is useful to incorporate such information in the general induction process for new workers and to regularly remind existing workers of their obligations. 6. Failing to notify when required to do so or failing to keep a notification up-to-date is a criminal offence. The person responsible for data protection should ensure that entries concerning workers data on the Register of Data Controllers are complete, accurate and up-to-date. This may be a duty that he or she personally undertakes or it may be delegated. 7. Consultation is not in itself a legal requirement. Nevertheless consultation should help ensure processing of personal data is fair to the workers to whom the data relates. Conclusion The data protection legislation has wide application in the field of employment and employers need to consider its application from the recruitment stage, addressed in the next chapter, right through to termination of the employment contract and beyond. 16 A THOROGOOD SPECIAL BRIEFING

13 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Further information The Information Commissioner s website has the following guidance which is also regularly added to and expanded from time-to-time at (this list is current as of January 2008). Codes of practice Framework code of practice for sharing personal information Quick Guide to the Employment Practices Codes The Employment Practices Code The Employment Practices Code: Supplementary Guidance Code of Practice on Telecommunications Directory Information and Fair Processing. CCTV Technical Guidance notes These notes provide advice and information on the technical issues that affect both data protection and freedom of information. Determining what is personal data This technical guidance note explains and illustrates the Information Commissioner s view of what is personal data for the purposes of the Data Protection Act It is designed to help data protection practitioners decide whether data falls within the definition of personal data in circumstances where this is not obvious. Frequently asked questions and answers about relevant filing systems This technical guidance will help data controllers to decide whether the personal information they have is held in a relevant filing system as defined by the Data Protection Act. A THOROGOOD SPECIAL BRIEFING 17

14 DATA PROTECTION LAW FOR EMPLOYERS 2008 Filing defaults with credit reference agencies The aim of this guidance is to provide advice to credit grantors on the conditions under which information about defaults is filed with the credit reference agencies. Only if credit grantors file defaults information in broadly comparable circumstances to each other will credit reference agency records provide meaningful information about the financial standing of individuals, and be processed in a way that is fair to those individuals. The guidance sets common standards for filing defaults while recognising that some differences exist with the wide range of credit products available. Access to pupil s information held by schools in England/Wales/Scotland/Northern Ireland These guidance notes will help state primary and secondary schools and Boards of Governors in England, Wales, Scotland and Northern Ireland understand their responsibilities under the Data Protection Act regarding requests for pupil s information. The guidance for Scotland is also intended for independent schools. Local education and library boards may also find them useful. These notes also cover the separate right of access that parents have to the official educational record of their child. The use of personal information held for collecting and administering council tax This note explains the Commissioner s approach to the use of personal information obtained for the administration of council tax. Disclosures to MPs carrying out constituency casework Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order S.I.2002 No Radio frequency identification This technical note summarises RFID technology, its usage, and how the Data Protection Act 1998 applies. It is aimed at those using or thinking of using RFID technology. 18 A THOROGOOD SPECIAL BRIEFING

15 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Privacy enhancing technologies (PETs) This technical note is intended to raise awareness of the concept of privacy enhancing technologies and is aimed at system designers and those commissioning them. It will give a brief description of privacy enhancing technologies but draws on the extensive information published elsewhere. It is not intended to be an exhaustive account, rather a point of entry for readers who wish to further their own research. Subject access requests and legal proceedings The aim of this guidance is to provide an explanation to legal practitioners and data protection specialists of the Information Commissioner s view on the exercise of these access rights where legal proceedings are contemplated or ongoing. Subject access requests involving other people s information This technical note replaces previous guidance on this subject and deals with the potential conflict between an individual s right of access and a third party individual s rights to privacy of confidentiality. Freedom of information: access to information about public authority employees This guidance gives public authorities practical advice about dealing with requests made under the Freedom of Information Act for access to information about their employees. It should be read in conjunction with our freedom of information awareness guidance 1 about personal information which is available on the exemptions guidance section of the website. Health data: use and disclosure Health records: subject access Local authorities: data sharing Model contracts for transfer to other organisations Model contracts for data processors processing personal information on their behalf Notification of barristers chambers Notification of pension scheme trustees Promotion of a political party A THOROGOOD SPECIAL BRIEFING 19

16 DATA PROTECTION LAW FOR EMPLOYERS 2008 Registration officers: right to inspect local authority records Vehicle keepers information: implications on use and disclosures Detailed Specialist Guidance International transfers of data. See: list_guides/international_transfers_legal_guidance_v2.0_ pdf Audit Guide. See: list_guides/data_protection_complete_audit_guide.pdf Good practice notes Security of personal information This good practice note aims to alert small and medium sized organisations to the security measures they should have in place to protect the personal information they hold. Training checklist for small and medium sized organisations High-profile security breaches have increased public concern about the handling of personal information. We recognise that some organisations have limited resources to devote to staff training. This note outlines some of the practical implications of the Act and is intended as a basic training framework for general office staff in small and medium sized organisations. The exemption from notification for not-for-profit organisations This note aims to answer a number of questions regularly raised by charities and voluntary organisations about the exemption from the requirement to notify under DPA 1998 for not-for-profit organisations. Publication of Examination Results by Schools This good practice note aims to explain to boards of governors, head teachers and school data protection officers how the Data Protection Act (the Act) affects the publishing of examination results. 20 A THOROGOOD SPECIAL BRIEFING

17 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS The use and disclosure of information about business people The aim of this good practice note is to explain to local authorities how the Data Protection Act (the Act) applies to the sharing and use of information about business people. This could be information, for example, about a business person s payment of business rates or the results of an environmental health inspection of his or her premises. Collecting personal information using websites This guidance is a set of frequently asked questions for anyone collecting personal information using websites. Calling existing customers listed on the Telephone Preference Service This guidance explains the position regarding calling existing customers for marketing purposes when they are currently registered on the Telephone Preference Service (TPS) or those who subsequently register. Advice to local authorities on disclosing personal information to elected members. This good practice note aims to provide local authorities with advice on what they need to consider when deciding to disclose personal information to elected members. Advice for the elected and prospective members of local authorities This good practice note aims to provide local authorities with advice on what they need to consider when deciding to disclose personal information to elected members. Checklist for handling requests for personal information (subject access requests) This guidance aims to assist small and medium sized organisations that receive requests for information covered by the Data Protection Act The use of violent warning markers This good practice note explains to those working with the public how best to manage the use of violent warning markers. Corporate Telephone Preference Service This good practice note explains how companies can register their telephone numbers with the Corporate Telephone Preference Service A THOROGOOD SPECIAL BRIEFING 21

18 DATA PROTECTION LAW FOR EMPLOYERS 2008 (CTPS), and the rules that apply to calling companies that have registered their numbers. Releasing information to prevent or detect crime This good practice note explains what you need to consider when you are asked to release personal information because it is needed to prevent or detect a crime, or catch and prosecute a suspect. It is intended as a guide for organisations that do not normally receive requests of this kind. Monitoring under section 75 of the Northern Ireland Act 1998 This good practice note aims to make clear that the Data Protection Act 1998 allows monitoring under section 75 of the Northern Ireland Act It also aims to provide advice for public authorities that are required to carry out such monitoring. Automatic renewal of policies or membership by credit or debit card This good practice note explains how insurance companies and other organisations can comply with the Data Protection Act 1998 when automatically renewing a policy, membership or other arrangement where a fee has to be paid. This note covers payment of fees by credit or debit card but not by direct debit. Tied agents and independent financial advisors This good practice note is aimed at firms of tied agents and independent financial advisors. It gives advice on common issues raised with the Information Commissioner about how to comply with the Data Protection Act. The term firm includes sole traders and partnerships. Outsourcing a guide for small and medium sized businesses This good practice note sets out what you need to do to comply with the Data Protection Act when you outsource the processing of personal information. Typical examples would include outsourcing your payroll function or customer mailings. It sets out which parts of the Act are important when outsourcing and provides some good practice recommendations. 22 A THOROGOOD SPECIAL BRIEFING

19 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Buying and selling customer databases This good practice note explains what organisations need to do to make sure they comply with the Data Protection Act when buying and selling databases which contain customers personal information. It is not intended to cover the purchase and sale of confidential personal information. This advice is for use when a business is insolvent or closing down or when as asset is being sold, either by the owner or an insolvency practitioner. How does the Data Protection Act apply to professional opinions? This good practice note aims to inform organisations and practitioners about some of the data protection issues that arise in relation to the information about individuals that they record in their professional opinions. The information in this note may also be of interest to individuals. Pension trustees and their use of administrators This good practice note explains to pension trustees how to comply with their obligations under the Data Protection Act 1998 when they use pension administrators to help them run a pension scheme. Subject access and employment references This good practice note clarifies how the Data Protection Act applies to employment references. The recommendations also apply to other types of reference, such as those provided for educational purposes. Disclosing information about tenants This good practice note answers some frequently asked questions from landlords about how the Data Protection Act applies to them, the information they hold about their tenants and information held on their behalf by a letting agent. Charities and marketing This good practice note explains what charities and voluntary organisations need to do to comply with data protection law when they carry out marketing activities. Electronic mail marketing This good practice note is aimed at helping businesses understand the dos and don ts of electronic mail marketing and gives an overview of the rules in the Privacy and Electronic Communications Regulations. A THOROGOOD SPECIAL BRIEFING 23

20 DATA PROTECTION LAW FOR EMPLOYERS 2008 Individuals rights of access to examination records This good practice note explains the right to access examination records under the Data Protection Act. The Freedom of Information Act also gives individuals the right to access other (non-personal) information held by public authorities. Providing personal account information to a third party This good practice note is aimed at helping people to decide whether or not to give information to third parties calling on behalf on an account holder. Taking photos in schools This good practice note is aimed at Local Education Authorities and those working within Schools, Colleges and Universities. Telephone marketing by a political party This good practice note is aimed at the public and political parties. Getting it right: a brief guide to data protection for small businesses Getting it right: small business checklist Schools: exam results disclosure to the media 24 A THOROGOOD SPECIAL BRIEFING

Data Protection Policy

Data Protection Policy Data Protection Policy Type: Status: Policy Statutory Issue Status:- Date Version Comment Owner April 2014 1 Original document Julie Taylor Electronic copies of this document are available to download

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

Data Protection Act 1998 Codes of Practice. The Employment Practices DP Code Part 1: Recruitment and Selection

Data Protection Act 1998 Codes of Practice. The Employment Practices DP Code Part 1: Recruitment and Selection Data Protection Act 1998 Codes of Practice The Employment Practices Data Protection Code CONTENTS CONTENTS... 1 Who is the Code for?... 3 Why should you use it?... 3 Other parts of the Code... 3 Five sections...

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

ILM Factsheet Dealing with data under the Data Protection Act 1998

ILM Factsheet Dealing with data under the Data Protection Act 1998 Prepared for ILM by Lester Aldridge Introduction Key issues for Charity Legacy Departments The Data Protection Act 1. What sort of information is protected by the Data Protection Act? 2. Is my charity

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Page 1 of 10 Table of Contents 1. Points of Contact for this Policy 4 2. Purpose of Data Protection Policy 4 3. Overview of the Data Protection Act 1998 5 4. Confidentiality and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

ADLS GUIDANCE NOTE. Therefore, in order to process sensitive personal data fairly and lawfully specifically for research purposes:

ADLS GUIDANCE NOTE. Therefore, in order to process sensitive personal data fairly and lawfully specifically for research purposes: ADLS GUIDANCE NOTE Can a researcher legitimately process sensitive personal data for research purposes? This guidance note provides information on processing sensitive personal data for research purposes.

More information

West Sussex County Council. Guidance on Information Law for Schools

West Sussex County Council. Guidance on Information Law for Schools This guidance recognises that schools already deal with a great variety and number of requests for information and provides a straightforward approach to compliance with the following legislation: Education

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Data Protection Procedure

Data Protection Procedure Data Protection Procedure [QP2.28] Procedure Number: QP2.28 Revision Number: 3 Date of issue: January 2006 Status: Approved Date of approval: May 2006 Responsibility for procedure: Director of Information

More information

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007 East Northamptonshire Council Policy & Community Development Data Protection Policy December 2007 If you would like to receive this publication in an alternative format (large print, tape format or other

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Notification exemptions A self-assessment guide

Notification exemptions A self-assessment guide Data Protection Important information Changes to the notification fee structure came into effect on 1 October 2009 and the 35 flat fee no longer applies. Further information can be found at www.ico.gov.uk

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

Historic Environment Scotland

Historic Environment Scotland Historic Environment Scotland Data Protection Policy September 2015 Document Control Title Data Protection Policy Author Head of Records Management Approved by HES Board Date of Approval 16/11/2015 Version

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose

More information

ORBIT POLICY O-DPA01 DATA PROTECTION POLICY V1.1

ORBIT POLICY O-DPA01 DATA PROTECTION POLICY V1.1 ORBIT POLICY O-DPA01 DATA PROTECTION POLICY V1.1 1 Document Control Document Title DATA PROTECTION POLICY References O-DPA01 Version V1.1 Classification Unclassified Status Issued Last Review August 2011

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Policy Procedure. Data Protection Act Contents

Policy Procedure. Data Protection Act Contents Policy Procedure Data Protection Act 1998 New policy number: 351 Old instruction number: MAN:A030:a2 Issue date: 20 April 2004 Reviewed as current: 16 January 2015 Owner: Head of Information and Communications

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

Data Protection Acts 1988 and A Guide to Your Rights

Data Protection Acts 1988 and A Guide to Your Rights Data Protection Acts 1988 and 2003 A Guide to Your Rights :1 Definitions As with any legislation, certain terms have particular meaning. The following are some useful definitions: Data means information

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Guidance on the Processing of Personal Data for Research Purposes 1

Guidance on the Processing of Personal Data for Research Purposes 1 Guidance on the Processing of Personal Data for Research Purposes 1 1. Background The University of the West of Scotland has a reputation as a provider of high quality applied research. Some of the research

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees Trafford Council Data Protection Policy, Statement and Guidance for Employees Author Nick Evans Date August 2009 Status Final Version 1.3 Review Date October 2015 Review By Kathryn Wright Next Review October

More information

Data protection. The employment practices code

Data protection. The employment practices code Data protection The employment practices code Contents 3 Contents About the code 4 Managing data protection 11 Good practice recommendations 11 Part 1: Recruitment and selection 14 About Part 1 of the

More information

Data Protection Act a more detailed guide

Data Protection Act a more detailed guide Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data

More information

INFORMATION SHARING AGREEMENT

INFORMATION SHARING AGREEMENT University of Essex And Essex Police INFORMATION SHARING AGREEMENT September 2011 Version Published 1 1. INTRODUCTION 2. PURPOSE AND SCOPE OF THIS AGREEMENT 3. BENEFITS OF SHARING THIS INFORMATION 4. AGREEMENT

More information

Data Protection Policy

Data Protection Policy Data Protection Policy BMBC Data Protection Policy V1 Page 1 of 7 Table of Contents 1 INTRODUCTION... 3 2 POLICY STATEMENT... 3 3. SCOPE... 3 4 DATA PROTECTION PRINCIPLES... 4 5 PREREQUISITE CONDITIONS

More information

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

DATA PROTECTION AUDIT GUIDANCE

DATA PROTECTION AUDIT GUIDANCE DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data

More information

Data Protection for Schools Compliance Checklist

Data Protection for Schools Compliance Checklist Data Protection for Schools Compliance Checklist Here is a simple bullet point list of actions your school should take to work towards compliance with the Data Protection Act. It is a non - exhaustive

More information

DATA PROTECTION ACT POLICY

DATA PROTECTION ACT POLICY DATA PROTECTION ACT POLICY Personal data shall be obtained, maintained, stored, used and passed on only in strict accordance with the Act 1998. KIDS is registered according to the Data Protection Act 1998

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

June Fair processing notice Our policy for handling personal data

June Fair processing notice Our policy for handling personal data June 2016 Fair processing notice Our policy for handling personal data The Government Actuary s Department (GAD) handles personal information in compliance with the Data Protection Act 1998 (the Act).

More information

37. Data Protection Act - Registration by Schools

37. Data Protection Act - Registration by Schools 37. Data Protection Act - Registration by Schools The Data Protection Act 1998 has replaced the Data Protection Act 1984. Whereas the 1984 Act only related to personal data that could be automatically

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Introduction This policy sets out the framework for a consistent SDS wide approach to handling information relating to identifiable individuals (Personal Data). Skills Development

More information

Vyners Learning Trust Data Protection and Retention Policy

Vyners Learning Trust Data Protection and Retention Policy Vyners Learning Trust Data Protection and Retention Policy 1. Background Vyners Learning Trust collects and uses personal information about staff, pupils, parents and other individuals who come into contact

More information

Quick guide to the employment practices code

Quick guide to the employment practices code Data protection Quick guide to the employment practices code Ideal for the small business Contents 3 Contents Section 1 About this guidance 4 Section 2 What is the Data Protection Act? 5 Section 3 Recruitment

More information

DISCLOSURE & BARRING SERVICE (DBS) POLICY

DISCLOSURE & BARRING SERVICE (DBS) POLICY DISCLOSURE & BARRING SERVICE (DBS) POLICY Human Resources and Organisational Development Changes February 2009: Policy introduced April 2010: Styling revised in line with corporate guidelines September

More information

This guide is a condensed version of the definitive The Data Protection Act 1998 and Market Research which all members are urged to read.

This guide is a condensed version of the definitive The Data Protection Act 1998 and Market Research which all members are urged to read. A basic guide to the Data Protection Act 1998 October 2002 INTRODUCTION This guide is a condensed version of the definitive The Data Protection Act 1998 and Market Research which all members are urged

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: December 2015 Version: 6.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information

More information

Data Protection Good Practice Note

Data Protection Good Practice Note Data Protection Good Practice Note This explanatory document explains what charities and voluntary organisations need to do to comply with the Data Protection Act 1988 as amended by the Data Protection

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

MODEL DECLARATION FORM A

MODEL DECLARATION FORM A MODEL DECLARATION FORM A Guidance for applicants The position you have applied for is exempt from the Rehabilitation of Offenders Act 1974 (as amended in England and Wales). When South Central Ambulance

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Data Protection and Data security Policy

Data Protection and Data security Policy Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us

More information

Enforced subject access (section 56)

Enforced subject access (section 56) ICO lo Enforced subject access (section 56) Data Protection Act Contents Introduction... 2 Overview.3 The criminal offence.... 3 Exceptions and penalties.... 7 Relevant records....... 8 Other considerations

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

Data Protection Policy

Data Protection Policy Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014 Contents 1 Purpose... 2 2 Policy...

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Provision of Consent to Process Personal Data

Provision of Consent to Process Personal Data Provision of Consent to Process Personal Data Policy Owner Finance Director (University Secretary) and Deputy Chief Executive Date created 2013 Due for review 2016 Approval route Manager, Secretariat Provision

More information

HUMAN RESOURCES POLICIES & PROCEDURES

HUMAN RESOURCES POLICIES & PROCEDURES HUMAN RESOURCES POLICIES & PROCEDURES Policy title: Data protection policy Application: All employees CONTENTS PAGE Introduction 2 Status of the Data Protection Policy 2 Notification of data held and processed

More information

Application Form. Section 1 Personal Details. Oldham Hulme Grammar Schools Veale Wasbrough Lawyers 2006. Position Applied For: Title:

Application Form. Section 1 Personal Details. Oldham Hulme Grammar Schools Veale Wasbrough Lawyers 2006. Position Applied For: Title: Application Form Position Applied For: Section 1 Personal Details Title: Dr/Mr/Mrs/Miss/Ms Forename(s): Surname: Address: Former names: Preferred name: National Insurance Number: Postcode: Telephone Number(s):

More information

FINAL. Islington Children s Services Information Sharing Agreement. Children s Services Partnership. Nov 07 1

FINAL. Islington Children s Services Information Sharing Agreement. Children s Services Partnership. Nov 07 1 Islington Children s Services Information Sharing Agreement Children s Services Partnership Nov 07 1 CONTENTS PAGE Background 3 1. Introduction 3 2. Benefits for children, young people and families 4 3.

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will:

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will: Data Protection Policy Introduction. Team Bees is required to maintain certain personal data about living individuals for the purposes of satisfying operational and legal obligations. Team Bees recognises

More information

INFORMATION PRIVACY STATEMENT

INFORMATION PRIVACY STATEMENT INFORMATION PRIVACY STATEMENT Victoria Police is bound by the Privacy and Data Protection Act 2014 in how it manages personal information. Victoria Police is committed to protecting the personal information

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

Information Sharing: Further guidance on legal issues

Information Sharing: Further guidance on legal issues Information Sharing: Further guidance on legal issues This guidance supports the cross-government guidance document Information sharing: Guidance for practitioners and managers. It provides practitioners,

More information

15 Principles on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters

15 Principles on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters 15 Principles on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters Principle 1 (Protection of rights and freedoms) 1. Personal data must

More information

Job Application Form. Name: Position Applied for:

Job Application Form. Name: Position Applied for: Job Application Form This is an interactive PDF form, all boxes can be filled out using Acrobat Reader. Please email completed documents to headmaster@stdavidscollege.co.uk If you do not have Adobe Acrobat

More information

The Data Protection Ordinance What s it all about? A guide for business, organisations & people

The Data Protection Ordinance What s it all about? A guide for business, organisations & people The Data Protection Ordinance 2004 What s it all about? A guide for business, organisations & people Government of Gibraltar Ministry of Consumer & Civic Affairs Ministry for Trade, Employment & Communication

More information

How much do I need to know about data protection?

How much do I need to know about data protection? The Guide to Data Protection How much do I need to know about data protection? A little A lot Nothing Don t know In this part Data protection basics The role of the Information Commissioner s Office Key

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM DATA PROCESSING ADDENDUM Last Revised: November 14, 2016 This Data Processing Addendum ( Addendum ) forms part of the master services agreement or terms of use, as applicable (the Agreement ), entered

More information

Guidance to Clubs on the Data Protection Act

Guidance to Clubs on the Data Protection Act Guidance to Clubs on the Data Protection Act February 2013 (updated October 2015) This is part of the RT2020 initiative by the T&RA to help clubs with relevant legislation. All organisations that collect

More information

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose

MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY Index: Introduction Information is a Corporate Resource Personal Responsibility Information Accessibility Keeping Records of what we do Ensuring

More information

INTRODUCTION 1 STRUCTURE AND APPROACH 1 CONTEXT AND PURPOSE 2 STATEMENT OF PURPOSE 3

INTRODUCTION 1 STRUCTURE AND APPROACH 1 CONTEXT AND PURPOSE 2 STATEMENT OF PURPOSE 3 June 2007 Table of Contents INTRODUCTION 1 STRUCTURE AND APPROACH 1 CONTEXT AND PURPOSE 2 STATEMENT OF PURPOSE 3 3 Standard 1: Statement of purpose 3 Standard 2: Written guide to the adoption service for

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY Introduction 1. Looe Community Academy Trust (the Academy) is required to maintain certain personal data about living individuals for the purposes of

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

Data Protection Policy

Data Protection Policy Data Protection Policy January 2016 Next Review Due: January 2017 Co-ordinator: Miss M Rudge/Mrs J McColl 1 ACADEMY DATA PROTECTION POLICY POLICY DATE: JANUARY 2016 REVIEW DATE: JANUARY 2017 Introduction

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

ffi Data Protection Policy *S,,?fi. i?#.#+"*# *S,#*'*#' #+ *S FKOADLEA THMARY SCHOOL

ffi Data Protection Policy *S,,?fi. i?#.#+*# *S,#*'*#' #+ *S FKOADLEA THMARY SCHOOL *S,,?fi. i?#.#+"*# *S,#*'*#' #+ *S FKOADLEA THMARY SCHOOL Aahiwo Bcliovc *ehbrefe Headteacher: Mrs Sharon Freeley BA (Hons) ATS Newport Road Lake lsle of Wight PO36 gpe Tel: 01983 402403 admin@broadleapri.

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information