ILM Factsheet Dealing with data under the Data Protection Act 1998

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "ILM Factsheet Dealing with data under the Data Protection Act 1998"

Transcription

1 Prepared for ILM by Lester Aldridge Introduction Key issues for Charity Legacy Departments The Data Protection Act 1. What sort of information is protected by the Data Protection Act? 2. Is my charity processing data for the purposes of the Data Protection Act? 3. Is my charity a data controller? Complying with the Data Protection Act 1. The Data Protection Principles 2. The First Principle 3. The Second Principle 4. The Third to Eighth Principles 5. The Notification procedures 6. Requests for information under the Data Protection Act 7. Other legal requirements in respect of information 8. Best practice for legacy managers handling data 9. Some practical examples Introduction This is a guide to following the requirements of the Data Protection Act The Data Protection Act aims to promote high standards in the handling of personal information, balancing the rights of individuals to privacy and the ability of organisations to collect and process data for the purposes of their business. The Data Protection Act applies to firms holding information about living individuals in electronic format and, in some cases, on paper. However, it does not apply to information relating to deceased persons. When holding information about living individuals, organisations must follow the eight data protection principles of good information handling. These are that personal information must be: Fairly and lawfully processed Processed for specified purposes Adequate, relevant and not excessive Accurate and, where necessary, kept up to date Not kept for longer than is necessary Processed in line with the rights of the individual Kept secure Not transferred to countries outside the European Economic Area unless the information is adequately protected This guide covers the type of data protected by the Data Protection Act in more detail, what you need to do to comply with the Data Protection Act if you handle this sort of data, requests for information under the Data Protection Act and some best practice for handling data in legacy management. For more information see the Information Commissioner s website:

2 Lester Aldridge would be pleased to assist with any information handling and compliance issues. Please contact Rosemary Collins at These notes do not constitute a definitive or complete statement of the law, and are not intended to constitute advice in any specific situation. You should take legal advice in specific situations. Key issues for Charity Legacy Departments 1. Any information held on a computer, processed automatically or in a relevant filing system that relates to a living individual, and from which the individual could be identified, is protected by the Data Protection Act. This includes any personal data relating to executors or other beneficiaries of their estates. 2. Information relating to deceased supporters is not caught within the ambit of the Data Protection Act. 3. A data controller is any person who accesses personal data relating to a living individual held by the organisation for certain purposes and decides why and how to use that data. 4. Any person who holds, deals with or destroys personal data relating to living individuals will be processing data for the purposes of the Data Protection Act. 5. To comply with the Data Protection Act, a data controller must comply with the eight Principles of Data Protection (as outlined in more detail below). 6. Preferably an organisation should establish its own Data Protection policy which ensures that personal data relating to living individuals is processed in accordance with the eight Principles of Data Protection. 7. A Data Protection policy should include provisions which ensure that all processing of data is fair and lawful, the purposes for which data will be processed are specified, only relevant data is stored and maintained, data is kept accurate and up-to-date and data is destroyed once it is no longer required. 8. The organisation must ensure they are registered with the Information Commissioner, who maintains a register of data controllers and the purposes for which they use personal data. 9. Individuals have a right to a copy of any data you hold relating to them, and such requests must be dealt with within 40 days of receiving them. The Data Protection Act 1. What sort of information is protected by the Data Protection Act? Essentially personal data is protected by the Data Protection Act.

3 Data broadly is any information which is held on a computer, processed automatically or in a relevant filing system. A relevant filing system is any set of information relating to an individual which (although not processed automatically) is structured, either by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible. A relevant filing system might be any system of manual filing e.g. paper files, index cards, rolodex, non-automated microfiches, etc. where it is fairly easy to locate and extract information about a particular individual because the information is divided into categories. The Information Commissioner s guidance demonstrates that what is a relevant filing system will be interpreted quite broadly. The guidance states that sets of information: need not necessarily be grouped together in a file or files. They may be grouped together in some other way, for example, by prefix codes, or by attaching an identifying sticker within a file or files. Similarly, the information does not necessarily have to be grouped together in the same drawer of the filing cabinet or the same filing cabinet; nor does it necessarily have to be maintained centrally by an organisation [it] might be dispersed over different locations within the organisation, for example, different departments, branch offices, or via home workers. The case of Durant v FSA also considered what a relevant filing system is. The court held that manual filing would only be a relevant filing system if they were of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system. Any manual filing system: which, for example, requires the searcher to leaf through files to see what and whether information qualifying as personal data of the person who has made the request is to be found there, would bear no resemblance to a computerised search. A filing system containing files about individuals, or topics about individuals, where the content of each file is structured purely in chronological order will not be a relevant filing system as the files are not appropriately structured, indexed, divided or referenced to allow the retrieval of personal data without leafing through the file. In order to determine whether manual filing is a relevant filing system or not it might be helpful to consider whether a temp could find the information quickly. Following the case of Durant it is likely that legacy files consistent primarily of correspondence filed in date order will not be covered by the provisions of the Data Protection Act. However, files with separate sections of financial information or contact information could be covered. Rather than decide whether each separate file in your control would be covered by the Data Protection Act, we recommend that you have a data collection, retention, review and destruction policy that covers all your data as a matter of good organisation and professional practice. The sort of data protected by the Data Protection Act is personal data. This is any data which relates to a living individual and from which the individual could be identified (on its own or if combined with other information which is in the possession of, or likely to come into the possession of, the data controller). This may include:

4 Name Address date of birth opinions about the individual indication of the intentions of the data controller in respect of the individual indication of the intentions of another person in respect of the individual other information from which the individual can be identified Again, the Information Commissioner interprets this quite widely. The Information Commissioner s guidance states that data does not have to relate solely to one individual, for instance, where a number of individuals share one telephone number that number is personal information in respect of each of them. Some business information can be personal information. For example, information concerning a sole trader, relating to one specific partner in a partnership or relating to one individual in a department of a company. However, the information must focus on the individual, so that information which focuses on a property or a company department, is not personal information unless it goes further than recording the individual s involvement and could be said to compromise the individual s privacy. Also, data may constitute personal information which is capable of identifying an individual even if the name and/or address of that individual is not known. The Information Commissioner s guidance states that for information to be capable of identifying an individual it is sufficient if the data are capable of being processed by the data controller to distinguish the data subject from any other individual. Examples of this are CCTV footage, addresses, internet tracking, etc. Broadly speaking, you will be holding data protected by the Data Protection Act if you hold any information which relates to a living individual: On a computer; or In a manual filing system where the information is categorised (by individual or category, etc) and is relatively easily accessible. 2. Is my charity processing data for the purposes of the Data Protection Act? Processing for the purposes of the Data Protection Act broadly encompasses obtaining, disclosing, recording, holding, using, erasing or destroying personal information. Processing is probably without limit (Elizabeth France, first Data Protection Commissioner). A data processor is anyone who processes data i.e. obtains, holds, deals with or destroys data (unless they are an employee of a data controller see below). 3. Is my charity a data controller? A data controller is a person (generally an individual or a company) who determines the purposes for which and the manner in which any personal data are to be processed. The definition of data controller is very wide. In most cases where you are involved in processing data, you, or the organisation you are employed by, will be a data controller. In some cases you might both be data controllers, for example, if you access data held by the organisation for certain purposes and you decide why and how to use that data.

5 If you obtain, hold, deal with or destroy personal data you will be processing data for the purposes of the Data Protection Act. If you also decide why and how to use personal data, you are a data controller and must comply with the Data Protection Act. If you do not decide why and how to use personal data, your employer is likely to be a data controller and your employer must ensure that you comply with the Data Protection Act. Complying with the Data Protection Act 1. The Data Protection Principles Compliance with the Data Protection Act means complying with the eight Principles of Data Protection. The Principles are that personal information must be: Fairly and lawfully processed, and not processed unless: o one of the Schedule 2 conditions is met; and o one of the Schedule 3 conditions is also met where the data is sensitive personal data Processed for specified purposes Adequate, relevant and not excessive Accurate and, where necessary, kept up to date Not kept for longer than is necessary Processed in line with the rights of the individual Kept secure Not transferred to countries outside the European Economic Area unless the information is adequately protected 2. The First Principle It is important to note that simply meeting one of the Schedule 2 conditions (and one of the Schedule 3 conditions where sensitive personal data is involved) does not, on its own constitute compliance with the First Principle. The processing must still be fair and lawful. Sensitive personal data is information as to: The racial or ethnic origin of the individual The political opinions of the individual The religious beliefs and other similar beliefs of the individual Whether the individual is a member of a trade union The physical or mental health or condition of the individual The sexual life of the individual The commission or alleged commission of any offence by the individual Any proceedings for any offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court is such proceedings In practice, it is not likely to be difficult to satisfy one of these conditions. You may, however, like to give some thought to having a system of requesting consent from individuals you deal with to the processing of their data. This would avoid the need to meet the criteria of one of the other conditions, which may be more difficult. The Schedule 3 conditions are much less likely to apply and particular care must be taken when dealing with sensitive personal data. In particular, obtaining explicit consent is much more difficult to achieve than consent under the Schedule 2 conditions.

6 As noted above, meeting one of the relevant conditions does not, on its own, constitute compliance with the First Principle. In addition, the data must be processed fairly and lawfully in general. The Data Protection Act gives further detail in regard to dealing with personal data fairly: 1. The way in which the data is obtained will be considered i.e. it is important not to deceive or mislead an individual as to the purposes for which the personal data is to be processed. 2. The data controller is obliged to provide the following information ( the fair processing information ) to data subjects when collecting their personal data: The identity of the data controller (and any representative); The purpose or purposes for which the data are to be processed; and Any further information which is necessary, taking into account the specific circumstances in which the data are or are to be processed, to enable the processing in respect of the data subject to be fair. Even where these requirements are complied with this will not ensure that the processing of any personal data is fair where there are other factors which would make the processing unfair. 3. The Second Principle The Data Protection Act provides guidance on the interpretation of the Second Principle. There are two ways a data controller may specify the purposes for which personal data is obtained: 1. In a notice given by the data controller to the data subject in accordance with the fair processing requirements (see above); or 2. By notifying the purposes on a data controller s Data Protection Register entry, through the Notification procedures The Third to Eighth Principles The Third Principle is much easier to interpret. Data controllers should identify the minimum amount of information they require for their purpose. If additional information is required in some cases the information should not be obtained routinely, but only in those cases. Some points to consider may be: the number of individuals on whom information is held the number of individuals for whom it is used the nature of personal data the length of time it is held the way it was obtained the possible consequences for individuals of the holding or erasure of the data the way in which it is used the purpose for which it is held Procedures should be in place to ensure that personal data is kept up to date and is not misleading or incorrect. A data controller should consider: recording when data is recorded or last updated, training or policies requiring employees to update data on certain events or

7 at certain intervals of time, whether out of date information is likely to cause distress or damage to the data subject, etc. Data controllers need to review personal data held regularly and delete information which is no longer required for their purposes. It may well be necessary to retain information after a matter has been concluded, for example, to defend future legal claims. If this applies, the information should be deleted after a reasonable time and once the possibility of requiring the information for this purpose no longer exists. Data controllers should develop their own retention policy in relation to the deletion of such information. You must ensure you have a policy of reviewing files and diarizing destruction dates (which you must be able to justify as being no longer than necessary). This Principle will be contravened if the data controller fails to: supply information requested by the data subject (see below) comply with notices given under the Data Protection Act The data controller must take reasonable steps to ensure the reliability of staff having access to personal data, to implement measures or policies with respect to dealing with personal data, to conduct risk assessments, to consider privacy enhancing techniques and technology, etc. If you are involved in transferring personal data outside the EEA, we recommend that you take further advice on the level of protection afforded by the country or territory you are dealing with. 5. The Notification procedures The Information Commissioner maintains a register of certain data controllers and the purposes for which they use personal information. Joining the register is called notification. Most large charities need to be registered because of fundraising activities, legal activities and trading or sharing personal information they are involved in. However, smaller charities may not need to be registered. In order to notify, a form must be completed (which is available from the Information Commissioner s website), signed and returned to the Information Commissioner. There are a number of templates which detail the purposes and processing that certain types of business carry out and these can be amended as required. Notification must be renewed annually and there is currently a 35 fee for notification. Requests for information under the Data Protection Act Under section 7 of the Data Protection Act, an individual has the right to get a copy from you of the data you hold relating to them. This is known as the right of subject access. An individual may make a request in writing (which includes ) to be told whether the data controller or someone else on the data controller s behalf is processing their personal data. This is known as a subject access request.

8 If you receive a subject access request you must deal with it promptly and in any case within 40 days of receiving it (and the fee if there is one). You should send the individual: a copy of the personal information you hold on them (in permanent form, unless this would involve disproportionate effort); any details available to the data controller as to the source of the data; details of the purposes for which it is being processed; and details of those to whom the personal information is or may be disclosed. The information must be in a form that the individual can understand, for example, it must be in a language they understand, or if coded they must be provided with the key to the code. You are entitled to charge a fee, currently up to a maximum of 10. Identifying other individuals Where it is not possible to comply with a subject access request without disclosing information relating to another individual who can be identified from that information, you are not obliged to comply with the request unless: the other individual has consented to the disclosure of the information to the person making the request, or it is reasonable in all the circumstances to comply with the request without the consent of the other individual. Where the individual who can be identified is the source of the information, the data controller must disclose as much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise. Other legal requirements in respect of information Confidentiality You may have obligations of confidentiality to persons you hold information about. This may, unlike the Data Protection Act regime, include organisations who are also beneficiaries. Ultra vires / Excess of delegated powers You or your charity may be restricted by your, or your charity s power or authority to do certain acts in relation to information. Legitimate expectation You must have regard to any legitimate expectations of persons as to how you will use any information concerning them. Human Rights Act 1998 You must have regard to Article 8 of the European Convention on Human Rights, which affords individuals the right to respect for private and family life, home and correspondence.

9 Freedom of Information Act 2000 If you disclose any information to a public authority (including local authorities, schools, universities, etc) the public authority may not be able to keep that information confidential. Under the Freedom of Information Act 2000, there is a general right of access to all recorded information held by public authorities. Best practice for legacy managers handling data Whether the Data Protection Act applies to your activities or not, compliance with Data Protection Act compliant procedures will be beneficial to your working practices. For example: Sending mail to incorrect addresses and generally out of date records wastes time and money and damages public relations. Good information handling improves your reputation and increases confidence in you. Good information handling reduces the risks of claims being made against you. The Information Commissioner has produced the following checklist which should assist you in improving information handling. Following the points does not guarantee compliance with the Data Protection Act, but it should stimulate you to think about your approach to information handling. Some practical examples Example 1 Dave is a legacy manager for a large charitable organisation, the Westcombe Nature Reserve Trust ( the Trust ). The Trust pursues a lot of different activities including fundraising, advertising, staff administration and it also gives legal advice relating to environmental laws and prosecutes breaches of environmental law. In order to deal effectively with the administration of legacies received each year from the supporters of the Trust, Dave has a computer database which lists the contact details of various lay executors. The Trust is a data controller, and because of the activities it pursues it must notify the Information Commissioner of what processing of personal information it conducts and the purposes it processes that data for. Dave s database is information which is protected by the Data Protection Act. The Trust and its employees can process the contact details it holds for the lay executors because it does not hold sensitive personal data and it processes the information necessarily in pursuit of a legitimate interest of the Trust (Schedule 2 condition 6). The Trust must comply with the Data Protection Act and so it would be wise for the Trust to have a policy for dealing with Dave s database to ensure that the eight Data Protection Principles are adhered to by Dave and anyone else using the database. This may mean restricting access by only giving passwords to those staff who really need to use the database, and diarising review dates to purge old information. For example, executor s details are unlikely to be needed for long after the administration of an estate has been completed and the executors have been released from their liability. Example 2

10 Reginald is a legacy manager for a small organisation, the National Benevolence Fund for Hindu Sadhus ( the Fund ). The Fund does not have any computers and Reginald conducts his work using paper files which contain correspondence filed in date order. Reginald has a number of files which are contested and on these matters he tends to hold information about various individuals religious views due to the nature of the Fund. Reginald s files will not constitute a relevant filing system covered by the Data Protection Act unless they are divided or indexed in some way so that information relating to an individual can be located quickly. However, Reginald should consider data protection issues so that he can be more efficient, reduce waste, maintain confidentiality, present a professional image, and inspire confidence. Reginald should consider the conditions to guide him as whether his use of personal data is necessary. Schedule 2 condition 6 and Schedule 3 condition 4, 5 or 6 are likely to cover his activity. Reginald should have a system by which he ensures that the information he holds is up to date, accurate and relevant and he should ensure his files are destroyed when they are no longer needed probably when any period for a potential appeal against court decisions to be lodged has expired. Reginald should also consider the security of the information, for example, keeping his files locked away when he is not using them rather than leaving them out on his desk for anyone to access.

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

Chapter 1 Introduction and guidance for employers

Chapter 1 Introduction and guidance for employers A Thorogood Special Briefing Chapter 1 Introduction and guidance for employers Introduction Subject access request Compliance Changing law The Employment Practices Code Personal data Making access requests

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Data Protection Act a more detailed guide

Data Protection Act a more detailed guide Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Data Protection Act 1998 Codes of Practice. The Employment Practices DP Code Part 1: Recruitment and Selection

Data Protection Act 1998 Codes of Practice. The Employment Practices DP Code Part 1: Recruitment and Selection Data Protection Act 1998 Codes of Practice The Employment Practices Data Protection Code CONTENTS CONTENTS... 1 Who is the Code for?... 3 Why should you use it?... 3 Other parts of the Code... 3 Five sections...

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Data protection. The employment practices code

Data protection. The employment practices code Data protection The employment practices code Contents 3 Contents About the code 4 Managing data protection 11 Good practice recommendations 11 Part 1: Recruitment and selection 14 About Part 1 of the

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

DATA PROTECTION AUDIT GUIDANCE

DATA PROTECTION AUDIT GUIDANCE DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0 PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

DATA PROTECTION MANUAL

DATA PROTECTION MANUAL DATA PROTECTION MANUAL VERSION TABLE Version Date Published CO Circular 1 September 2008 3 July 2015 July 2015 2 CONTENTS Part A: General Guidance 1 Introduction to the Data Protection Act 1998 5 2 The

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

Credit Union Code for the Protection of Personal Information

Credit Union Code for the Protection of Personal Information Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve

More information

Data Protection Good Practice Note

Data Protection Good Practice Note Data Protection Good Practice Note This explanatory document explains what charities and voluntary organisations need to do to comply with the Data Protection Act 1988 as amended by the Data Protection

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Rev No. 0 New Document 1 2 3 4 5 6 7 Revision Status Details of Amendments Name Date Update of College DPA statement New Reference to Appendix 4 Staff Guidelines ESF document retention

More information

Data Protection Policy

Data Protection Policy Data Protection Policy BMBC Data Protection Policy V1 Page 1 of 7 Table of Contents 1 INTRODUCTION... 3 2 POLICY STATEMENT... 3 3. SCOPE... 3 4 DATA PROTECTION PRINCIPLES... 4 5 PREREQUISITE CONDITIONS

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary

More information

Data Protection Procedures

Data Protection Procedures Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

DATA PROTECTION POLICY. DATA PROTECTION POLICY Reviewed and Adopted April Signed...COG...HEAD

DATA PROTECTION POLICY. DATA PROTECTION POLICY Reviewed and Adopted April Signed...COG...HEAD DATA PROTECTION POLICY DATA PROTECTION POLICY Reviewed and Adopted April 2016 Signed...COG...HEAD Next review April 2018 Data Protection Policy AIMS This policy sets out the Council s commitment to the

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

Personal Data Act (1998:204);

Personal Data Act (1998:204); Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

The Guide to Data Protection. The Guide to Data Protection

The Guide to Data Protection. The Guide to Data Protection The Guide to Data Protection Contents Introduction 1 Key definitions of the Data Protection Act 4 The Data Protection Principles 19 1. Processing personal data fairly and lawfully (Principle 1) 20 2. Processing

More information

The Manchester College

The Manchester College The Manchester College The Manchester College Produced by TMC Prin DataProtect pol v1 11/2010 All rights reserved; no part of this publication may be photocopied, recorded or otherwise reproduced, stored

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Data Protection in the Charity & Voluntary Sector

Data Protection in the Charity & Voluntary Sector 1 Data Protection in the Charity & Voluntary Sector Guidelines April 2011.Version 5.0 Office of the Data Protection Commissioner 2 CONTENTS Page INTRODUCTION 3 1. Key Recommendations 4 2. Donor Databases

More information

A common sense guide to the Data Protection Act 1998 for volunteers

A common sense guide to the Data Protection Act 1998 for volunteers A common sense guide to the Data Protection Act 1998 for volunteers Why is it necessary? The Data Protection Act 1998 is a law introduced to control the way information held about individuals is handled

More information

Access to Information: Data Protection and Freedom of Information

Access to Information: Data Protection and Freedom of Information Access to Information: Data Protection and Freedom of Information Records Management Section Data protection: key concepts Personal data Sensitive personal data Data subjects Data protection principles

More information

Data Compliance. And. Your Obligations

Data Compliance. And. Your Obligations Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection

More information

Data Protection Policy Information for Clients

Data Protection Policy Information for Clients Data Protection Policy Information for Clients Foreword This document outlines Numis Securities Limited s ( the Firm or Numis ) legal obligations and policy on data protection. Further information can

More information

Data Protection Workshop: How the Law Affects You Practice Questions

Data Protection Workshop: How the Law Affects You Practice Questions Data Protection Workshop: How the Law Affects You Practice Questions 1. Which of the following is not personal data covered by the Data Protection Act (pick one or more): A. Comments about an individual

More information

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information. MANCHESTER METROPOLITAN UNIVERSITY DATA PROTECTION POLICY This policy should be read in conjunction with the Data Protection Guidance, which is attached as: Appendix A Dealing with Personal Data Appendix

More information

Data Protection Guidance

Data Protection Guidance 53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection

More information

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

Decision 084/2006 Mr Ian Cameron and Aberdeenshire Council

Decision 084/2006 Mr Ian Cameron and Aberdeenshire Council Huntly Nordic Ski and Outdoor Centre Reference No: 200600082 Decision Date: 30 March 2009 Kevin Dunion Scottish Information Commissioner Kinburn Castle Doubledykes Road St Andrews KY16 9DS Tel: 01334 464610

More information

Data protection policy

Data protection policy Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

Data Protection Acts 1988 and 2003: Informal Consolidation

Data Protection Acts 1988 and 2003: Informal Consolidation Page 1 of 55 Data Protection Acts 1988 and 2003: Informal Consolidation IMPORTANT NOTICE This document is an informal consolidation of the Data Protection Acts 1988 and 2003, prepared by the Office of

More information

Data Protection and Community Councils Briefing Note

Data Protection and Community Councils Briefing Note Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

1. Introduction Purpose The purpose of this policy is to:

1. Introduction Purpose The purpose of this policy is to: 1. Introduction 1.1. Overview The use of Closed Circuit Television or Surveillance Cameras (collectively known as CCTV) that capture and process images of individuals, who can be identified from those

More information

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school

More information

Data Protection Policy

Data Protection Policy Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. INTRODUCTION 1.1. The Data Protection Act gives you as an individual the right to know what information is held about you. It provides a framework to ensure that personal information

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Document Management: Date Policy Approved: 29 April 2015 Date Amended: Next Review Date: April 2017 Version: 1 Approving Body: Resources Committee 1 1. Introduction The Data Protection

More information

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each; DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

Record Keeping. Guide to the Standard for Professional Practice. 2013 College of Physiotherapists of Ontario

Record Keeping. Guide to the Standard for Professional Practice. 2013 College of Physiotherapists of Ontario Record Keeping Guide to the Standard for Professional Practice 2013 College of Physiotherapists of Ontario March 7, 2013 Record Keeping Records tell a patient s story. The record should document for the

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Data Protection Policy

Data Protection Policy Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014 Contents 1 Purpose... 2 2 Policy...

More information

Falkirk Council Data Protection Guidelines

Falkirk Council Data Protection Guidelines Falkirk Council Data Protection Guidelines Contents Contents 2 Objectives 3 What does the Data Protection Act 1998 do? 3 Who is who under the Data Protection Act 1998? 4 Definitions 4 The Eight Principles

More information

INFORMATION PRIVACY STATEMENT

INFORMATION PRIVACY STATEMENT INFORMATION PRIVACY STATEMENT Victoria Police is bound by the Privacy and Data Protection Act 2014 in how it manages personal information. Victoria Police is committed to protecting the personal information

More information

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection for the Guidance Counsellor. Issues To Plan For Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)

More information

The Chafford School. Data Protection and Freedom of Information Policy

The Chafford School. Data Protection and Freedom of Information Policy The Chafford School Data Protection and Freedom of Information Policy INDEX Aims & Objectives... 3 Data Protection The law... 3 Processing, storing, archiving and deleting personal data: Guidance... 3

More information

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268 Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268 This guidance is suitable for Public Disclosure Owner of Doc:

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information

More information

SUBJECT ACCESS REQUEST PROCEDURE

SUBJECT ACCESS REQUEST PROCEDURE SUBJECT ACCESS REQUEST PROCEDURE Document History Document Reference: Document Purpose: IG31 This procedure sets out the responsibility for staff when receiving requests for information provided under

More information

Data Protection for Charities

Data Protection for Charities Data Protection for Charities CFG 15 May 2014 Overview Overview and key definitions The data protection principles Fair and lawful processing Data security and outsourcing Rights of data subjects Recent

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Data Protection and Data security Policy

Data Protection and Data security Policy Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us

More information