Chapter 1 Introduction and guidance for employers
|
|
- Cody Lloyd
- 7 years ago
- Views:
Transcription
1 A Thorogood Special Briefing Chapter 1 Introduction and guidance for employers Introduction Subject access request Compliance Changing law The Employment Practices Code Personal data Making access requests Managing Data Protection Conclusion Further information Technical Guidance notes Detailed Specialist Guidance
2 DATA PROTECTION LAW FOR EMPLOYERS 2008 Chapter 1 Introduction and guidance for employers Introduction The Data Protection Act applies to most employers in the UK. Whether they have registered or notified the Information Commissioner that they hold personal data which is caught by the Act or not, they must still comply with eight data protection principles and ensure they give individuals access to copies of the personal data of those individuals, which is held about them by the employer known in this context as the data controller. This report looks at how the Act affects employers rather than describes the Act in all its provisions. Lots of useful guidance on the Act is contained in the Introduction to the Act published by the IC on the IC s website. The eight data protection principles are that personal data must be: 1. processed fairly and lawfully 2. processed for limited purposes and not in any manner incompatible with those purposes 3. adequate, relevant and not excessive 4. accurate 5. not kept for longer than is necessary 6. processed in line with data subjects rights 7. secure 8. not transferred to countries that do not protect personal data adequately. 6 A THOROGOOD SPECIAL BRIEFING
3 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Subject access requests Employees, just like anyone else, whose personal data is held by someone have a right of subject access under section 7 of the Act to see the data held about them. Many employers find it useful to have a form for this purpose. If inaccurate data is held about someone they have a right to have it corrected and even to obtain a court order to force it to be corrected. There are also rights to sue for damages if loss has been suffered by a data subject arising from a breach of the Act. Compliance It is an obligation of the data controller to comply with the Act. This will be a limited company or could be a sole trader or partnership. However, companies act through their employees and directors, and it will be employees who either ensure the company complies or whose conduct results in a breach of the act. It may be wise to appoint an employee as the data protection compliance officer. For Government bodies the Data Controller is the Secretary of State. For other public organisations, it is usually the organisation itself that is liable. The IC has an Audit Manual on their website which helps companies to check if they comply. The IC has powers to take enforcement action if a breach of the Act occurs. Companies can be forced to change their policies or correct or delete records. Breach of the Act is a criminal offence. Offences include failing to register (notify), not keeping a notification up-to-date, unlawfully obtaining personal data and unlawfully selling the data. There are also rights to sue for damages to obtain compensation if the Act has been breached. Changing law This report looks at the Data Protection Act This brought an EU data protection directive into force in the UK. That directive was agreed in 1996 and in 2003 was being re-examined by the European Commission. It is possible it will be altered. In May 2003, the European Commission adopted the first report on the implementation of the Data Protection Directive. The report notes that the directive has broadly achieved its aim of ensuring strong protection for privacy but A THOROGOOD SPECIAL BRIEFING 7
4 DATA PROTECTION LAW FOR EMPLOYERS 2008 that late implementation by some member states, along with differences in national approaches, has prevented the EU from obtaining the full benefit of the Directive. Information on EU data protection law and documents reporting on progress under the directive is at: The Employment Practices Code This report principally concentrates on the application of the Act in the employment area as the IC construes this through its Employment Practices Code. What is this Code of Practice for? The Code is intended to assist employers in complying with the Act and to establish good practice for handling personal data in the workplace. The Code covers such issues as the obtaining of information about workers, the retention of records, access to records and disclosure of them. Who does data protection cover in the workplace? The Code is concerned with data that employers might collect and keep on any individual who might wish to work, work, or have worked for them. In the Code the term workers is used to cover all these individuals. As such it includes: Applicants (successful and unsuccessful). Former applicants (successful and unsuccessful). Employees (current and former). Agency workers (current and former). Casual workers (current and former). Contract workers (current and former). Some benchmarks will also apply to others in the workplace such as volunteers and those on work experience placements. What data are covered by the Code? It is likely that most information about workers that is processed by an organisation will fall within the scope of the Data Protection Act and therefore within the scope of this Code. 8 A THOROGOOD SPECIAL BRIEFING
5 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Personal data The Code is concerned with personal data. That is, information which: relates to a living person, and identifies an individual either on its own or together with other information that is in the organisation s possession or that is likely to come into its possession. All automated and computerised personal data is covered by the Act. It also covers personal data put on paper or microfiche and held in any relevant filing system. In addition, information recorded with the intention that it will be put in a relevant filing system or held on computer is covered. A relevant filing system essentially means any set of information about workers in which it is easy to find a piece of information about a particular worker. A case called Durant v FSA looked at what this meant. It proposed a temporary secretary test if the temp can be sent to find the manual (ie non computer file) on an individual and can find it then it is likely to be sufficiently part of a structured set to fall within the ambit of the Act. Processing The Act applies to personal data that is subject to processing. For the purposes of the Act, the term processing applies to a comprehensive range of activities. It includes the initial obtaining of personal data, how it is kept and used, any access and disclosure of it and even its final destruction. Sensitive personal data Some particularly important data, such as about people s sexual inclinations or health, is classed as sensitive personal data. It must only be processed if explicit consent has been obtained for the processing. Sensitive data is data about: racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), physical or mental health or condition, A THOROGOOD SPECIAL BRIEFING 9
6 DATA PROTECTION LAW FOR EMPLOYERS 2008 sexual life, commission or alleged commission of any offence, or proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive data found in a workers record might typically be about their: physical or mental health as a part of sickness records disabilities to facilitate adaptations in the workplace, racial origin to ensure equality of opportunity, and trade union membership to enable deduction of subscriptions from payroll. The IC says: In the context of recruitment and selection typical circumstances in which sensitive personal data might be held include: relevant criminal convictions to assess suitability for certain types of employment. disabilities to ensure special needs are catered for at interview or selection testing. racial origin to ensure recruitment processes do not discriminate against particular racial groups. The Act sets out a series of conditions, at least one of which has to be met before an employer can collect, store, use, disclose or process sensitive personal data. The conditions include: The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. Note: This condition can have quite wide application in the context of recruitment and selection. Employers rights and obligations may be conferred or imposed by statute or common law, which in this context means decisions in relevant legal cases. For example, they will include obligations to: 1. Ensure the health, safety and welfare of a worker at work. 2. Select safe and competent workers. 3. Ensure a safe working environment. 4. Not discriminate on the grounds of race, sex or disability. 10 A THOROGOOD SPECIAL BRIEFING
7 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS 5. Ensure the reliability of workers with access to personal data. 6. Protect customers property or funds in the employer s possession. 7. Check immigration status before employment. The IC says: Thus an employer may be able to collect information as to an applicant s criminal record or health in the recruitment process if this can be shown to be necessary to enable the employer to meet its obligations in relation to the safety of its workers or others to whom it owes a duty of care. The collection of sensitive personal data must however be necessary for exercising or performing a right or obligation which is conferred or imposed by law. This condition would not, for example, be satisfied if the employer obtains information on the criminal convictions of all applicants in order to protect its staff or customers if the protection could equally be provided by obtaining this information only on the successful applicant prior to confirmation of appointment. The processing: 1. is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), 2. is necessary for the purpose of obtaining legal advice, or 3. is otherwise necessary for the purposes of establishing, exercising or defending legal rights. Note: The application of this condition in the context of recruitment and selection is quite limited but it might, for example, be relied on to enable a prospective employer to process sensitive personal data to defend him or herself were an applicant to make a claim of unlawful discrimination. The processing: 1. is of information in categories relating to racial or ethnic origin, religious or other beliefs or physical or mental health, 2. is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment, 3. there are safeguards for the data subject. Note: This condition will be relevant to equal opportunities monitoring related to racial origin, religion and disability. Processing must be necessary emphasising that wherever practicable, monitoring should be based on anonymous or aggregated information. A THOROGOOD SPECIAL BRIEFING 11
8 DATA PROTECTION LAW FOR EMPLOYERS 2008 The processing is necessary: 1. for the exercise of any functions conferred on any person by or under an enactment, or 2. for the exercise of any functions of the Crown, a Minister of the Crown or a government department. Note: This condition is most likely to be relevant to public sector bodies that may have specific legal duties placed on them in relation to the qualifications, attributes, background or probity of their workers. It will also be relevant when a public sector body concludes that in order to discharge its wider statutory functions it is necessary for it to process sensitive personal data, such as criminal convictions relating to applicants or, in exceptional cases, their family or close associates. It is likely, for example, to be relevant to the recruitment of police or prison officers. The data subject has given explicit consent to the processing: Note: Employers seeking to rely on this condition must bear in mind that: the consent must be explicit. This means the applicant must have been told clearly what personal data are involved and the use that will be made of them. The applicant must have given a positive indication of agreement (e.g. a signature), the consent must be freely given. This means the applicant must have a real choice whether or not to consent and there must be no significant detriment that arises from not consenting. Importantly the commissioner says: The extent to which consent can be relied upon in the context of employment is limited because of the need for any consent to be freely given. However, in relation to the recruitment and selection of workers this is less of a constraint. Individuals in the open job market will usually have a free choice whether or not to apply for a particular job. If consent to some processing of sensitive data is a condition of an application being considered this does not prevent the consent being freely given. It must of course be clear to the applicant exactly what he or she is consenting to. As recruitment proceeds it becomes less likely that valid consent can be obtained. If, for example, the direct consequence of not consenting is the withdrawal of a job offer the consent is unlikely to be freely given. 12 A THOROGOOD SPECIAL BRIEFING
9 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Making access requests The Act allows for any individual to make a subject access request to any organisation that he or she believes is processing his or her personal data. This request must be in writing, so by letter or . Once an organisation receives such a request it must respond promptly, or at the most within 40 calendar days. There is similar legislation in the Freedom of Information Act This allows anyone, companies as well as individual data subjects, to request information held by public bodies (it does not apply to bodies other than those in the public sector). This requires that such requests be made within 20 days. Many public sector bodies have harmonised their procedures to comply with the DPA and the FOIA and thus provide for a 20 (not a 40) day period. However, companies in the private sector, should stick with 40 days under the DPA. The data controller, in response to a request, must produce copies of the information it holds in an intelligible form. A charge of up to 10 can be made. The 40 day period starts once the organisation has received the fee together with any information it needs to verify the identity of the individual making the request, and to locate the information that the individual seeks. Practical guidance subject access requests Many companies have a form they ask data subjects to complete when making a request so that the company receives all the identification information it needs. It is wise to have such a form ready. Always check the individual is who they say they are before providing information. Never provide information for a spouse about their spouse for example. Consider requesting the applicant to narrow down what they are interested in discovering although all information must be supplied if requested it is often in practice wise to ask what are they particularly after to make the task for finding it easier. There are some exemptions that allow organisations to withhold information. These exemptions can apply in areas such as criminal investigation, management planning such as promotion and transfer plans, and negotiations. The exemptions, though, are limited in their application even within these areas. THIRD PARTY DATA Be careful not to disclose third party data in responding to requests. The IC has guidance on the IC website on subject access and third party data to which reference should be made. A THOROGOOD SPECIAL BRIEFING 13
10 DATA PROTECTION LAW FOR EMPLOYERS 2008 Managing Data Protection Most businesses will need to nominate someone to take charge of data protection in their company. The Information Commissioner suggests standards for managing data protection which are common to all four areas of the employment Code of Practice as follows: Data protection compliance should be seen as an integral part of employment practice. It is important to develop a culture in which respect for private life, data protection, security and confidentiality of personal data are seen as the norm. The benchmarks 1. Establish a person within the organisation responsible for ensuring employment practices and procedures comply with the Act and for ensuring that they continue to do so. Put in place a mechanism for checking that procedures are followed in practice. 2. Ensure that business areas and individual line managers that process information about workers understand their own responsibility for data protection compliance and, if necessary, amend their working practices in light of this. 3. Assess what personal data about workers is in existence and who is responsible for them. 4. Eliminate the collection of personal data that is irrelevant or excessive to the employment relationship. If sensitive data is collected ensure that a sensitive data condition is satisfied. 5. Ensure that workers are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer s policies and procedures. Make serious breaches of data protection rules a disciplinary offence. 6. Allocate responsibility for checking that your organisation has a valid notification in the register of data controllers that relates to the processing of personal data about workers, unless it is exempt from notification. 7. If applicable, consult trade unions or other workers representatives, or workers themselves over the development and implementation of employment practices and procedures that involve the processing of workers data. 14 A THOROGOOD SPECIAL BRIEFING
11 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Notes and examples 1. In a small business, the responsibility might simply be with the owner of the business. Where there is a management structure, responsibility should be allocated to a senior manager in the personnel or human resources function, or someone in a comparable position. Those with overall responsibility must be in a position to feed their knowledge into other areas of the business where information about workers is processed, and to ensure that the organisation has a co-ordinated approach to data protection compliance. Ideally data protection should be seen as an integral part of employment procedures rather than as a stand alone requirement. For example, in the company s written procedure for dealing with selection, there should be a section on how to follow up on references, which should incorporate the relevant benchmarks in this Code. Procedures are only of value if they are current and adhered to. Review and update procedures as necessary and put a mechanism in place to ensure that they are being followed on the ground. This might involve some form of audit or self-certification by managers. 2. It is important to remember that data protection compliance is a multidisciplinary matter. For example, a company s IT staff may be primarily responsible for keeping computerised personal data secure, whilst a human resources department may be responsible for ensuring that the information requested on a job application form is not excessive, irrelevant or inadequate. All workers, including line managers, have a part to play in securing compliance (for example, by ensuring that waste paper bearing personal data is properly disposed of). An employer is liable to pay compensation for damage suffered by an individual as a result of the actions of a line manager in regards to data protection unless it is clear that the line manager has been acting outside his or her authority. Employers can help protect themselves against claims by training line managers and having clear procedures in place. 3. It may be helpful to assess personal data held on workers using the same categories as are used in the various parts of this Code, i.e. personal data processed in connection with recruitment and selection, employment records, monitoring at work and medical information. Consider who in your organisation will be collecting, using, storing and destroying such information. Only when you have ascertained this will you be able to check that your organisation is complying with the Act. A THOROGOOD SPECIAL BRIEFING 15
12 DATA PROTECTION LAW FOR EMPLOYERS When making your assessment of personal data consider if all the information collected on workers is necessary for the employment relationship. For example, information concerning workers lives outside work is unlikely to be necessary. However, it might be legitimate to request information about workers other jobs where there is a justifiable need, for example, in connection with Working Time Regulations, or to request information about their children in connection with an application for parental leave. The collection and use of sensitive data must satisfy a sensitive data condition. 5. Workers should be broadly aware of the legal duties that the Act places on employers and their own role as workers in meeting them. In particular, workers should be aware of how data protection compliance impinges in practical terms on the way they perform their work. It is also crucial to make workers aware of the possible consequences of their actions in this area, e.g. disciplinary action or personal criminal liability. It is useful to incorporate such information in the general induction process for new workers and to regularly remind existing workers of their obligations. 6. Failing to notify when required to do so or failing to keep a notification up-to-date is a criminal offence. The person responsible for data protection should ensure that entries concerning workers data on the Register of Data Controllers are complete, accurate and up-to-date. This may be a duty that he or she personally undertakes or it may be delegated. 7. Consultation is not in itself a legal requirement. Nevertheless consultation should help ensure processing of personal data is fair to the workers to whom the data relates. Conclusion The data protection legislation has wide application in the field of employment and employers need to consider its application from the recruitment stage, addressed in the next chapter, right through to termination of the employment contract and beyond. 16 A THOROGOOD SPECIAL BRIEFING
13 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Further information The Information Commissioner s website has the following guidance which is also regularly added to and expanded from time-to-time at (this list is current as of January 2008). Codes of practice Framework code of practice for sharing personal information Quick Guide to the Employment Practices Codes The Employment Practices Code The Employment Practices Code: Supplementary Guidance Code of Practice on Telecommunications Directory Information and Fair Processing. CCTV Technical Guidance notes These notes provide advice and information on the technical issues that affect both data protection and freedom of information. Determining what is personal data This technical guidance note explains and illustrates the Information Commissioner s view of what is personal data for the purposes of the Data Protection Act It is designed to help data protection practitioners decide whether data falls within the definition of personal data in circumstances where this is not obvious. Frequently asked questions and answers about relevant filing systems This technical guidance will help data controllers to decide whether the personal information they have is held in a relevant filing system as defined by the Data Protection Act. A THOROGOOD SPECIAL BRIEFING 17
14 DATA PROTECTION LAW FOR EMPLOYERS 2008 Filing defaults with credit reference agencies The aim of this guidance is to provide advice to credit grantors on the conditions under which information about defaults is filed with the credit reference agencies. Only if credit grantors file defaults information in broadly comparable circumstances to each other will credit reference agency records provide meaningful information about the financial standing of individuals, and be processed in a way that is fair to those individuals. The guidance sets common standards for filing defaults while recognising that some differences exist with the wide range of credit products available. Access to pupil s information held by schools in England/Wales/Scotland/Northern Ireland These guidance notes will help state primary and secondary schools and Boards of Governors in England, Wales, Scotland and Northern Ireland understand their responsibilities under the Data Protection Act regarding requests for pupil s information. The guidance for Scotland is also intended for independent schools. Local education and library boards may also find them useful. These notes also cover the separate right of access that parents have to the official educational record of their child. The use of personal information held for collecting and administering council tax This note explains the Commissioner s approach to the use of personal information obtained for the administration of council tax. Disclosures to MPs carrying out constituency casework Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order S.I.2002 No Radio frequency identification This technical note summarises RFID technology, its usage, and how the Data Protection Act 1998 applies. It is aimed at those using or thinking of using RFID technology. 18 A THOROGOOD SPECIAL BRIEFING
15 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Privacy enhancing technologies (PETs) This technical note is intended to raise awareness of the concept of privacy enhancing technologies and is aimed at system designers and those commissioning them. It will give a brief description of privacy enhancing technologies but draws on the extensive information published elsewhere. It is not intended to be an exhaustive account, rather a point of entry for readers who wish to further their own research. Subject access requests and legal proceedings The aim of this guidance is to provide an explanation to legal practitioners and data protection specialists of the Information Commissioner s view on the exercise of these access rights where legal proceedings are contemplated or ongoing. Subject access requests involving other people s information This technical note replaces previous guidance on this subject and deals with the potential conflict between an individual s right of access and a third party individual s rights to privacy of confidentiality. Freedom of information: access to information about public authority employees This guidance gives public authorities practical advice about dealing with requests made under the Freedom of Information Act for access to information about their employees. It should be read in conjunction with our freedom of information awareness guidance 1 about personal information which is available on the exemptions guidance section of the website. Health data: use and disclosure Health records: subject access Local authorities: data sharing Model contracts for transfer to other organisations Model contracts for data processors processing personal information on their behalf Notification of barristers chambers Notification of pension scheme trustees Promotion of a political party A THOROGOOD SPECIAL BRIEFING 19
16 DATA PROTECTION LAW FOR EMPLOYERS 2008 Registration officers: right to inspect local authority records Vehicle keepers information: implications on use and disclosures Detailed Specialist Guidance International transfers of data. See: list_guides/international_transfers_legal_guidance_v2.0_ pdf Audit Guide. See: list_guides/data_protection_complete_audit_guide.pdf Good practice notes Security of personal information This good practice note aims to alert small and medium sized organisations to the security measures they should have in place to protect the personal information they hold. Training checklist for small and medium sized organisations High-profile security breaches have increased public concern about the handling of personal information. We recognise that some organisations have limited resources to devote to staff training. This note outlines some of the practical implications of the Act and is intended as a basic training framework for general office staff in small and medium sized organisations. The exemption from notification for not-for-profit organisations This note aims to answer a number of questions regularly raised by charities and voluntary organisations about the exemption from the requirement to notify under DPA 1998 for not-for-profit organisations. Publication of Examination Results by Schools This good practice note aims to explain to boards of governors, head teachers and school data protection officers how the Data Protection Act (the Act) affects the publishing of examination results. 20 A THOROGOOD SPECIAL BRIEFING
17 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS The use and disclosure of information about business people The aim of this good practice note is to explain to local authorities how the Data Protection Act (the Act) applies to the sharing and use of information about business people. This could be information, for example, about a business person s payment of business rates or the results of an environmental health inspection of his or her premises. Collecting personal information using websites This guidance is a set of frequently asked questions for anyone collecting personal information using websites. Calling existing customers listed on the Telephone Preference Service This guidance explains the position regarding calling existing customers for marketing purposes when they are currently registered on the Telephone Preference Service (TPS) or those who subsequently register. Advice to local authorities on disclosing personal information to elected members. This good practice note aims to provide local authorities with advice on what they need to consider when deciding to disclose personal information to elected members. Advice for the elected and prospective members of local authorities This good practice note aims to provide local authorities with advice on what they need to consider when deciding to disclose personal information to elected members. Checklist for handling requests for personal information (subject access requests) This guidance aims to assist small and medium sized organisations that receive requests for information covered by the Data Protection Act The use of violent warning markers This good practice note explains to those working with the public how best to manage the use of violent warning markers. Corporate Telephone Preference Service This good practice note explains how companies can register their telephone numbers with the Corporate Telephone Preference Service A THOROGOOD SPECIAL BRIEFING 21
18 DATA PROTECTION LAW FOR EMPLOYERS 2008 (CTPS), and the rules that apply to calling companies that have registered their numbers. Releasing information to prevent or detect crime This good practice note explains what you need to consider when you are asked to release personal information because it is needed to prevent or detect a crime, or catch and prosecute a suspect. It is intended as a guide for organisations that do not normally receive requests of this kind. Monitoring under section 75 of the Northern Ireland Act 1998 This good practice note aims to make clear that the Data Protection Act 1998 allows monitoring under section 75 of the Northern Ireland Act It also aims to provide advice for public authorities that are required to carry out such monitoring. Automatic renewal of policies or membership by credit or debit card This good practice note explains how insurance companies and other organisations can comply with the Data Protection Act 1998 when automatically renewing a policy, membership or other arrangement where a fee has to be paid. This note covers payment of fees by credit or debit card but not by direct debit. Tied agents and independent financial advisors This good practice note is aimed at firms of tied agents and independent financial advisors. It gives advice on common issues raised with the Information Commissioner about how to comply with the Data Protection Act. The term firm includes sole traders and partnerships. Outsourcing a guide for small and medium sized businesses This good practice note sets out what you need to do to comply with the Data Protection Act when you outsource the processing of personal information. Typical examples would include outsourcing your payroll function or customer mailings. It sets out which parts of the Act are important when outsourcing and provides some good practice recommendations. 22 A THOROGOOD SPECIAL BRIEFING
19 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Buying and selling customer databases This good practice note explains what organisations need to do to make sure they comply with the Data Protection Act when buying and selling databases which contain customers personal information. It is not intended to cover the purchase and sale of confidential personal information. This advice is for use when a business is insolvent or closing down or when as asset is being sold, either by the owner or an insolvency practitioner. How does the Data Protection Act apply to professional opinions? This good practice note aims to inform organisations and practitioners about some of the data protection issues that arise in relation to the information about individuals that they record in their professional opinions. The information in this note may also be of interest to individuals. Pension trustees and their use of administrators This good practice note explains to pension trustees how to comply with their obligations under the Data Protection Act 1998 when they use pension administrators to help them run a pension scheme. Subject access and employment references This good practice note clarifies how the Data Protection Act applies to employment references. The recommendations also apply to other types of reference, such as those provided for educational purposes. Disclosing information about tenants This good practice note answers some frequently asked questions from landlords about how the Data Protection Act applies to them, the information they hold about their tenants and information held on their behalf by a letting agent. Charities and marketing This good practice note explains what charities and voluntary organisations need to do to comply with data protection law when they carry out marketing activities. Electronic mail marketing This good practice note is aimed at helping businesses understand the dos and don ts of electronic mail marketing and gives an overview of the rules in the Privacy and Electronic Communications Regulations. A THOROGOOD SPECIAL BRIEFING 23
20 DATA PROTECTION LAW FOR EMPLOYERS 2008 Individuals rights of access to examination records This good practice note explains the right to access examination records under the Data Protection Act. The Freedom of Information Act also gives individuals the right to access other (non-personal) information held by public authorities. Providing personal account information to a third party This good practice note is aimed at helping people to decide whether or not to give information to third parties calling on behalf on an account holder. Taking photos in schools This good practice note is aimed at Local Education Authorities and those working within Schools, Colleges and Universities. Telephone marketing by a political party This good practice note is aimed at the public and political parties. Getting it right: a brief guide to data protection for small businesses Getting it right: small business checklist Schools: exam results disclosure to the media 24 A THOROGOOD SPECIAL BRIEFING
DATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationData Protection Act 1998 Codes of Practice. The Employment Practices DP Code Part 1: Recruitment and Selection
Data Protection Act 1998 Codes of Practice The Employment Practices Data Protection Code CONTENTS CONTENTS... 1 Who is the Code for?... 3 Why should you use it?... 3 Other parts of the Code... 3 Five sections...
More informationHuman Resources and Data Protection
Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council
More informationData Protection Policy
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
More informationData Protection Policy
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
More informationDATA PROTECTION ACT 1998 COUNCIL POLICY
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationHERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
More informationDATA PROTECTION POLICY
Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection
More informationData Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk
Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data
More informationROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
More informationLittle Marlow Parish Council Registration Number for ICO Z3112320
Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationCORK INSTITUTE OF TECHNOLOGY
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
More informationData protection. The employment practices code
Data protection The employment practices code Contents 3 Contents About the code 4 Managing data protection 11 Good practice recommendations 11 Part 1: Recruitment and selection 14 About Part 1 of the
More informationDATA PROTECTION AUDIT GUIDANCE
DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data
More informationDublin City University
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
More information2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.
University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information
More informationData Protection Act a more detailed guide
Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data
More informationGUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection
More informationJohn Leggott College. Data Protection Policy. Introduction
John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and
More informationInformation Governance Policy
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More informationData Protection Good Practice Note
Data Protection Good Practice Note This explanatory document explains what charities and voluntary organisations need to do to comply with the Data Protection Act 1988 as amended by the Data Protection
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationOBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationEnforced subject access (section 56)
ICO lo Enforced subject access (section 56) Data Protection Act Contents Introduction... 2 Overview.3 The criminal offence.... 3 Exceptions and penalties.... 7 Relevant records....... 8 Other considerations
More informationData Protection Policy
Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014 Contents 1 Purpose... 2 2 Policy...
More informationHampstead Parochial CofE Primary School Data Protection Policy Spring 2015
Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school
More informationOffice of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers
Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in
More informationQuick guide to the employment practices code
Data protection Quick guide to the employment practices code Ideal for the small business Contents 3 Contents Section 1 About this guidance 4 Section 2 What is the Data Protection Act? 5 Section 3 Recruitment
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationData Protection and Data security Policy
Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us
More informationData Protection and Community Councils Briefing Note
Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationMENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose
MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY Index: Introduction Information is a Corporate Resource Personal Responsibility Information Accessibility Keeping Records of what we do Ensuring
More informationHow To Protect Your Personal Information At A College
Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information
More informationData Protection Policy
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
More informationBAILIWICK OF GUERNSEY DATA PROTECTION
BAILIWICK OF GUERNSEY DATA PROTECTION CODE OF PRACTICE: CRIMINAL RECORDS CHECK PREFACE Section 56 of the Data Protection (Bailiwick of Guernsey) Law, 2001 ( the DP Law ), as amended by Ordinance in 2010
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationThe Professional Standards Team is also available to discuss any aspect of the Code with you, so please do contact us if you have any queries.
The guide to complying with the REC Code of Professional Practice provides you with a page by page checklist on what you can do to ensure your agency is working to best practice. The Professional Standards
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationATMD Bird & Bird. Singapore Personal Data Protection Policy
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
More informationQUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt
QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.
More informationWho can benefit from charities?
1 of 8 A summary of how to avoid discrimination under the Equality Act 2010 when defining who can benefit from a charity A. About the Equality Act and the charities exemption A1. Introduction All charities
More informationData Protection Guidance
53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationData protection compliance checklist
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
More informationApplication Form. Section 1 Personal Details. Oldham Hulme Grammar Schools Veale Wasbrough Lawyers 2006. Position Applied For: Title:
Application Form Position Applied For: Section 1 Personal Details Title: Dr/Mr/Mrs/Miss/Ms Forename(s): Surname: Address: Former names: Preferred name: National Insurance Number: Postcode: Telephone Number(s):
More informationData Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website
Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,
More informationUniversity of Limerick Data Protection Compliance Regulations June 2015
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
More informationAn employer s guide to the administration of the civil penalty scheme
An employer s guide to the administration of the civil penalty scheme 28 July 2014 Produced by the Home Office Crown copyright 2014 Contents 1. Introduction... 3 Changes to the scheme in May 2014... 3
More informationSUBJECT ACCESS REQUEST PROCEDURE
SUBJECT ACCESS REQUEST PROCEDURE Document History Document Reference: Document Purpose: IG31 This procedure sets out the responsibility for staff when receiving requests for information provided under
More informationData Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
More informationData protection policy
Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data
More informationData Protection Policy
Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Rev No. 0 New Document 1 2 3 4 5 6 7 Revision Status Details of Amendments Name Date Update of College DPA statement New Reference to Appendix 4 Staff Guidelines ESF document retention
More informationRick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk
Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The
More informationPERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
More informationCouncil Tax Reduction Anti-Fraud Policy
Council Tax Reduction Anti-Fraud Policy Richard Davies Head of Revenues and Benefits, Torfaen Head of Benefits, Monmouthshire April 2015 1 Contents Section 1. 3 Background 3 Legislation and Governance
More informationData Compliance. And. Your Obligations
Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection
More informationINTRODUCTION 1 STRUCTURE AND APPROACH 1 CONTEXT AND PURPOSE 2 STATEMENT OF PURPOSE 3
June 2007 Table of Contents INTRODUCTION 1 STRUCTURE AND APPROACH 1 CONTEXT AND PURPOSE 2 STATEMENT OF PURPOSE 3 3 Standard 1: Statement of purpose 3 Standard 2: Written guide to the adoption service for
More informationCode of practice for employers Avoiding unlawful discrimination while preventing illegal working
Code of practice for employers Avoiding unlawful discrimination while preventing illegal working [xx] April 2014 Presented to Parliament pursuant to section 23(1) of the Immigration, Asylum and Nationality
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationData Protection Policy
Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order
More informationGuidelines on Data Protection. Draft. Version 3.1. Published by
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
More informationJob Application Form. Name: Position Applied for:
Job Application Form This is an interactive PDF form, all boxes can be filled out using Acrobat Reader. Please email completed documents to headmaster@stdavidscollege.co.uk If you do not have Adobe Acrobat
More informationGENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS
GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...
More informationUNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION
UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and
More informationData Protection for the Guidance Counsellor. Issues To Plan For
Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)
More informationFIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS
FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),
More informationLaw Society of England and Wales - Chapter 3 - Money Laundering Regulations 2003
Law Society of England and Wales - Chapter 3 - Money Laundering Regulations 2003 Cut down version copied (on 5 November 2006) from: http://www.lawsociety.org.uk/professional/conduct/guideonline/view=page.law?policyid=225045
More informationSubject Access Request, Procedure, Guidance and Information
Subject Access Request, Procedure, Guidance and Information Updated: July 2015 Page 1 of 61 CONTENTS 1. Introduction 5 2. Legal Context 5 3. Subject Access Request to Personal Records Guidance 6 Guidance
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationDATA PROTECTION POLICY
MILNBANK HOUSING ASSOCIATION DATA PROTECTION POLICY LS/NOV.2011/REF.P14 1) INTRODUCTION Milnbank Housing Association recognises that the Data Protection Act 1998 is an important piece of legislation to
More informationData Protection Procedures
Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council
More informationGuide for Local Government Pension Scheme employers and admission bodies
Preparing for automatic enrolment Guide for Local Government Pension Scheme employers and admission bodies June 2013 A Introduction This guide is intended to highlight key aspects of the automatic enrolment
More informationData Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana
Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act
More informationInquiry Report St Paul s School. Registered Charity Number 1119619
Inquiry Report St Paul s School Registered Charity Number 1119619 A statement of the results of an inquiry into St Paul s School (registered charity number 1119619). Published on 18 August 2015. The charity
More informationPersonal Data Act (1998:204);
Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their
More informationOn the edge Lexis PSL Restructuring & Insolvency
On the edge Lexis PSL Restructuring & Insolvency Data protection law for insolvency practitioners November 2014 Welcome to your third edition of On the edge, a series of guides highlighting a selection
More informationData protection registration: nature of work descriptions
Data protection registration: nature of work descriptions Finance, insurance and credit We use these descriptions to help us process your registration: Accountant Actuaries Agents for the NFU mutual Bank
More information1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.
MANCHESTER METROPOLITAN UNIVERSITY DATA PROTECTION POLICY This policy should be read in conjunction with the Data Protection Guidance, which is attached as: Appendix A Dealing with Personal Data Appendix
More information10 DATABASE PRACTICE
10 DATABASE PRACTICE Background Marketers must comply with all relevant data protection legislation. Guidance on that legislation is available from the Information Commissioner's Office. Although data
More informationThe Guide to Data Protection. The Guide to Data Protection
The Guide to Data Protection Contents Introduction 1 Key definitions of the Data Protection Act 4 The Data Protection Principles 19 1. Processing personal data fairly and lawfully (Principle 1) 20 2. Processing
More informationRegister of People with Significant Control. Guidance for Companies, Societates Europaeae and Limited Liability Partnerships
Register of People with Significant Control Guidance for Companies, Societates Europaeae and Limited Liability Partnerships Version: 4 Published: 11 April 2016 Overview This guidance explains what you
More informationEmployment and Staffing Including vetting, contingency plans, training
Safeguarding and Welfare Requirements: Suitable People. Providers must ensure that people looking after children are suitable to fulfil the requirements of their role. Employment and Staffing Including
More informationData Protection. Policy and Application July 2009
Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:
More informationThompson Jenner LLP Last revised April 2013 Standard Terms of Business
The following standard terms of business apply to all engagements accepted by Thompson Jenner LLP. All work carried out is subject to these terms except where changes are expressly agreed in writing. 1
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Document Management: Date Policy Approved: 29 April 2015 Date Amended: Next Review Date: April 2017 Version: 1 Approving Body: Resources Committee 1 1. Introduction The Data Protection
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationData Protection in the Charity & Voluntary Sector
1 Data Protection in the Charity & Voluntary Sector Guidelines April 2011.Version 5.0 Office of the Data Protection Commissioner 2 CONTENTS Page INTRODUCTION 3 1. Key Recommendations 4 2. Donor Databases
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More information