Data Protection Policy

Size: px
Start display at page:

Download "Data Protection Policy"

Transcription

1 Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016

2 Data Protection Policy Content Page 1 Purpose of the Policy 2 2 Definitions 2 3 Commitments 4 4 Responsibilities 5 5 Key Points of the Policy 8 6 Monitoring and Review 12 7 Communication to Staff 12 Appendix: Breach Procedure 1

3 1. Purpose of the Policy 1.1 The purpose of the policy is to demonstrate the corporate commitment of the organisation for a culture of ensuring the principles within the Data Protection Act 1998 are embedded. 1.2 The organisation collects, receives, holds and processes a wide range of personal data relating to individuals which may be held electronically or in manual systems. This policy therefore provides some clarity around the Data Protection Act 1998 and enforceable rights to individuals and those who hold personal data. 1.3 Clearly identify responsibilities within the policy and particular reference should be given to those noted within section 4 and across the key points of the policy. 2. Definitions 2.1 For the purposes of this policy and accompanying guidance the following definitions apply:- 2.2 "The Association" means Cestria Community Housing which is registered as the data controller with the Information Commissioner under the Data Protection Act 1998 to process personal data. 2.3 Employees includes all workers who are employed by the Association under a contract of employment, or are working for the Association as a consultant or are temporary staff or work through an agency and have access to data. 2.4 "ICT Users - anyone who accesses ICT systems, or uses ICT equipment, which is owned by the Association. Such users could include, but are not limited to staff, contractors, Board Members and tenants. 2.5 "ICT equipment" includes that which is owned or leased by the Association, or used in conjunction with Associations assets and must be used in line with this and other ICT policies and is in respect of the following: Internet Intranet Telephony including Mobile Devices Computers Laptops Fax Machines Smart Phones 2

4 2.6 Customers" includes persons to whom the Association provides accommodation and services including tenants and leaseholders, residents and housing applicants and former and future tenants and leaseholders, residents and housing applicants. 2.7 Data Controller - the Data Controller is Cestria Community Housing Association. The designated person who has responsibility for data protection within Cestria is the Company Secretary, the Director of Finance and Corporate Services. Any questions or concerns about the interpretation or operation of this policy should in the first instance be discussed with the Company Secretary. 2.8 Data Subject is any living person who is the subject of personal data, whether in a personal or business capacity. 2.9 Personal data is any information/data relating to an individual who can be identified from the data (or from the data and other information in the possession of the Association). Personal data can be factual e.g., name, address, date of birth or it can be an opinion, e.g. performance appraisal. Such information normally has the individual as its focus and affects their privacy in some way. Personal data may be held on paper forming part of a relevant filing system, or on a computer or other electronic system e.g. CCTV "Processing" means any activity that involves the use of data. It includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also include transferring personal data to third parties. The processing of personal data must comply with the data protection principles under the Data Protection Act These state that the personal data must be: processed fairly and lawfully; processed for limited, specific purposes and not further processed for a purpose incompatible with the specified purposes; adequate, relevant and not excessive for the purpose; accurate and kept up to date; not kept longer than necessary for the purpose; processed in line with the data subjects right; secure; not transferred to people or organisations situated in countries outside the European economic area (EEA) without adequate protection for personal data. 3

5 2.11 "Sensitive personal data" includes, but is not necessarily limited to information about a person's racial or ethnic origin, their political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life or proceedings for any offence "Confidential information" - this comprises all commercially sensitive data whether received formally, informally, or discovered by accident. This includes, but is not necessarily limited to: any personal data about employees, board members, employment applicants, customers, consultants, contractors, suppliers, and partners; any policy, procedure, or strategy deemed by the board to be commercially sensitive; any other information, not in the public domain, that is likely to be commercially sensitive or where there is a risk of the Association being damaged by its disclosure; tenders and quotations for services and works Subject Access Request is a request from an individual to view the personal data that the Association holds about them. Under the Data Protection Act, any such individual known as the data subject has the right to access their own personal information Data breach is the intentional or unintentional release of secure information. It is a security incident in which sensitive, protected or confidential information is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so, and may include but is not limited to theft or loss of ICT equipment where such information may be stored unencrypted. 3. Commitment 3.1 The Association is committed to: 1. Ensuring compliance with the Data Protection Act Providing clear guidance and training to staff on data protection issues. 3. Taking appropriate security measures to safeguard personal information. 4. Ensuring all employees and Board members ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure, and in particular that paper files and other records or documents containing personal / sensitive information are kept in a safe environment; personal data held on computers 4

6 and computer systems is protected by the use of safe passwords and that individual passwords are kept private. 5. Ensuring all contractors, consultants and suppliers ensure that they and all of their staff who have access to personal data held or processed for or on behalf of Cestria are aware of this policy and their responsibilities under the Data Protection Act Ensuring that this policy and any associated guidance are applied appropriately and consistently. 7. Ensuring this policy is implemented in line with Cestria s Equality and Diversity Policy and associated legislation. Consideration will be given to all protected characteristics under the Equality Act 2010 to eliminate discrimination, advance equality of opportunity and foster good relationships. 8. Ensuring this policy and associated documents are available in different languages and alternative formats such as large print, audio-type etc. on request. 4. Responsibilities Cestria CHA 4.1 The Association, or its representatives, reserves the right to audit networks and systems on a periodic basis to ensure compliance with this and other relevant policies. 4.2 To meet business or service needs, or where legal issues are involved, management reserves the right to inspect such records without the user s prior knowledge or consent. Data Controller 4.3 The designated person who has responsibility for data protection within Cestria is the Company Secretary, the Director of Finance and Corporate Services. 4.4 The Data Controller has 40 calendar days to process requests made in respect of personal data (subject access requests) and respond to the applicant, once the fee has been received. 4.5 The Data Controller will ensure appropriate information in respect of this policy is made available once everything is satisfied, in line with the key points section with support from manager where required. 5

7 4.6 The Data Controller is the key point of contact for any query that may arise from staff in respect of this policy and/or data protection/security and/ or data breach. 4.7 The Data Controller will investigate any data breaches he is made aware of and ensure an appropriate response. Heads of Service 4.8 Will support the Data Controller in respect of this policy when subject access requests are received. 4.9 Are responsible for those points noted within the section of Reporting a Data Breach, within this policy Managers 4.10 Will ensure appropriate information in respect of this policy is made available to support the Data Controller, in line with the key points section Will approve who within their service teams are able to work at home whenever this may be required Will agree all arrangements for monitoring, supervising, setting workloads etc. in respect of home working Are responsible for ensuring operational procedures within their service teams reflect the correct application of data protection requirements where personal data is collected and/or processed Are responsible for ensuring periodic and ongoing monitoring checks are undertaken to ensure compliance with data protection including all other relevant policies and processes Are responsible for those points noted within the section of Reporting a Data Breach, within this policy. Employees 4.16 Whose role requires access to personal data, must ensure they comply with this policy at all times and in particular the 8 principles of the Data Protection Act Ensure they comply with the Subject Access Request guidance in respect of this policy. 6

8 4.18 When working from home employees must seek their managers prior approval to work at home whenever this may be required in line with the ICT Acceptable Use Policy and provide their own equipment To ensure personal data and security, are not to release their home address and telephone number to non-members of staff. Employees are also strongly advised not to meet volunteers, clients, or customers at home. In the event that any employee feels this is essential they must gain prior approval from their line manager Must ensure confidentiality and therefore equipment and files should only be accessible to the employee and safeguarded from access by other members of the household and visitors It is the responsibility of every employee and user to know and understand this and other relevant policies, and to conduct their activities accordingly Ensuring data breaches within the Association are reported to the Data Controller as indicated within this policy Are responsible for those points noted within the section of Reporting a Data Breach, within this policy. Users 4.24 Must advise IT Support Services if they have sensitive or vulnerable data in order that they can discuss and consider encryption Must maintain personal safety and privacy while accessing the Internet It is the user s responsibility to ensure that suitable access restrictions are put in place on any smart phone/devices that are accessing work related information ( s, calendars, etc.) Must adhere to acceptable this and other ICT policies: ICT Acceptable Use Policy and Internet Policy Electronic Media and Data Security Policy Social Media Policy and procedures 4.28 It is the user s responsibility to ensure compliance with all applicable provision of this policy. Ignorance will not be recognised as sufficient grounds for appeal. If you have any comments or queries, or there is any provision that you do not understand you should contact your Head of Service. 7

9 4.29 Must never reveal their account password to others or allowing use of your account by others. This includes family and other household members if working from home Must not use the Associations ICT equipment to evade, or attempt to evade, the security and authentication processes Muse never install software applications and/or updates from the internet without the express authorisation of the IT Support Services Team. ICT Support Services Team 4.32 The ICT Support Services Team, or their representatives (e.g. an external consultancy when doing penetration tests etc.), may monitor equipment, systems and network traffic at any time for any purpose permissible by law and ensuring security of data within ICT systems or when instructed to do so, in respect of security of data, by an Executive Team Member. 5. Key Points of the Policy 5.1 General Principals Through the course of our business, we will collect information about people, such as: current, past and prospective customers current, past and prospective employees current, past and prospective Board members any member of the public suppliers, contractors and consultants Personal information we may hold must be dealt with properly, regardless of how the information is collected, recorded or used and regardless of whether it be on paper or on electronic systems or any other means The Data Protection Act 1998 applies to electronic and paper records containing personal data as well as data held visually in photographs or video clips (including CCTV) or sound recordings. This includes any expression of opinion about an individual and intentions towards an individual. 5.2 The Data Protection Act The Data Protection Act 1998 regulates the collection, holding, processing and distribution of personal data, that is, information relating to individuals which is held either electronically or in manual systems. The Act gives enforceable rights to individuals and places obligations on those who hold personal data. 8

10 5.2.2 In cases where an individual requests access to their personal information under this Act, Cestria must tell the applicant whether it holds the information, and must supply it within 40 calendar days, in the format requested There are eight data protection principles. These require personal information to be: fairly and lawfully processed; processed for limited, specified purposes; adequate, relevant and not excessive; accurate and kept up to date; not kept longer than necessary processed in accordance with individual rights; kept secure; not transferred abroad to countries without adequate protection. 5.3 Disclosure of information Personal data and confidential information held will only be passed to others on a need to know basis and with an individual's consent unless there are exceptional circumstances. Exceptional circumstances include: where there is clear evidence of fraud; to comply with the law; in connection with legal proceedings; where it will be essential to enable the Association to carry out its duties for example where the health and safety of an individual will be at risk by not disclosing the information; personal data may only be transferred to a third party data processor if the third party enters into a contract in which it agrees to comply with appropriate security procedures and policies. 5.4 Requests for Personal Data (Subject Access Requests) Guidance in respect of Subject Access Requests has been provided to every employee and must be considered, in line with this policy Everyone has the right to access personal data that is being kept about them as long as it falls within the scope of the Data Protection Act Anyone may make a request for access to personal data which Cestria holds about them. Such requests must be made in writing and should be submitted to the Company Secretary. The request must include the: applicant's name; an address where the applicant can be contacted; 9

11 a description of the information the applicant wants 10 fee. The Data Controller has 40 calendar days to process the request and respond to the applicant, once the fee has been received Any personal information can be requested however, the Association is allowed by the Act to withhold third party personal information if the third party has not consented to its disclosure. 5.5 Requests for Information about Other People Information will only be provided where the data subject has consented or there is an exemption which applies under the Data Protection Act. Anyone who wishes to request this information must make their request in writing. The request must include the: applicant's name; An address where the applicant can be contacted; A description of the information the applicant wants The 10 fee Cestria does not need to comply with a request when they have received an identical or similar request from the same person unless a reasonable amount of time has elapsed between the initial and subsequent requests. The Data Controller then has 40 calendar days to process the request and respond to the applicant. 5.6 Data Protection Exemptions When considering a request for personal data the Data Controller may apply exemptions in the Data Protection Act 1998 which: If the personal data was disclosed would prejudice the prevention or detection of crime and the collection or assessment of tax; In connection with legal proceedings ; Would prejudice negotiations with the data subject; Are covered by legal privilege. 10

12 5.7 Reporting a Data Breach In the event of a security breach, there are four important elements to undertake: Containment and recovery Assessment of ongoing risk Notification of breach Evaluation and response The data breach process is appended to this policy, however in the event of discovering a data breach, employees (you) must: Inform the Data Controller immediately; Inform your Manager/Head of Service immediately; Take immediate steps to contain the breach; Make a preliminary assessment. Once made aware, managers and/or heads of service must: Evaluate the risks for individuals associated with the breach; Consider what personal information is involved; Determine whether the context of the information is sensitive; Establish the cause and extent of the breach; Identify what is the risk of harm; Consider breach notification; Risk analysis on a case-by-case basis; Ensure the Data Controller is updated regularly Where there is a potential harm to the data subjects, managers must: 5.8 Other linked policies Review the incident and take action to prevent future breaches; Fully investigate the cause of the breach; Consider developing a prevention plan; Option of audit to ensure the plan is implemented; Update security/response plan; Make appropriate changes to policies and procedures; Revise staff training practices In addition to adhering to the Staff Code of Conduct, other documents that must be considered along with this Data Protection Policy are shown below however this is not an exhaustive list: ICT Acceptable Use policy Electronic Data Security policy Social Media Policy 11

13 Clear Desk Policy Equality and Diversity policy Disciplinary policy Safeguarding policy 6 Monitoring and Review 6.1 The Director of Finance and Corporate Services will be responsible for reviewing this policy which will be reviewed every 2 years to ensure that it is effective and complies with current practice. Should there be any change to the statutory requirements a review would be carried out sooner. 7 Communication to Staff 7.1 All managers must communicate and share this policy with the team within four weeks of policy approval. Managers are required to discuss the impact and the implications of this policy at the team meeting for all staff (new and existing). 7.2 Managers are required to ensure team members understand the relevance of the policy and show their acceptance by signing below. 7.3 Managers must also keep the signed copy of the policy for future reference. 8 Acceptance of the policy: 8.1 I have read and understood the policy. I understand the impact, implications and my responsibility in relation to this policy. Team Name Signature Date 12

14 13

15 Data Security Breach Process In the event of a security breach, the following process must be followed to ensure four important elements are considered: containment and recovery, assessment of ongoing risk, notification of the breach and evaluation and response. In all cases, the Data Controller must be informed immediately, as well as your manager and head of service. The Data Controller will take the lead on all breach investigations and managers and heads of service will fully support this process and ensure the Data controller is constantly updated. Throughout the investigation, individuals will be identified by the lead in respect of actions to be taken particularly in the: containment period i.e. closing section of network, finding the lost piece of equipment or changing access codes etc. recovery period i.e. recover any losses and limit damage the breach has caused as well as the physical recovery of equipment. notification where appropriate, informing the police. In all event of a data security breach, the following process must be followed: You discover a data security breach, you must: Security Breach Inform the Data Controller Immediately and your manager and head of service Take immediate steps to contain the breach and make a preliminary assessment ensuring you keep your manager updated Once made aware, mangers and heads of service must, while ensuring the Data Controller is constantly updated: Evaluate the risks for all those associated with the breach Consider what personal information is involved Determine whether the context of the information is sensitive Establish the cause and extent of the breach Identify what the risk of harm is Consider breach notification and conduct a risk analysis on each case 14

16 Where there is potential harm to the data subjects, managers and heads of service must: Review the incident and take action to prevent future breaches Fully investigate the cause of the breach Consider developing a prevention plan Consider option of audit to ensure the plan is implemented Update security / response plan Make appropriate changes to policies & procedures and revise staff training practices If you require further information you must speak to the Data Controller and/or the Information Commissioner s Office (ico) website through the following link: on/practical_application/guidance_on_data_security_breach_management.pdf 15

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Data Protection Policy

Data Protection Policy Data Protection Policy BMBC Data Protection Policy V1 Page 1 of 7 Table of Contents 1 INTRODUCTION... 3 2 POLICY STATEMENT... 3 3. SCOPE... 3 4 DATA PROTECTION PRINCIPLES... 4 5 PREREQUISITE CONDITIONS

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

DATA PROTECTION POLICY. DATA PROTECTION POLICY Reviewed and Adopted April Signed...COG...HEAD

DATA PROTECTION POLICY. DATA PROTECTION POLICY Reviewed and Adopted April Signed...COG...HEAD DATA PROTECTION POLICY DATA PROTECTION POLICY Reviewed and Adopted April 2016 Signed...COG...HEAD Next review April 2018 Data Protection Policy AIMS This policy sets out the Council s commitment to the

More information

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY MILNBANK HOUSING ASSOCIATION DATA PROTECTION POLICY LS/NOV.2011/REF.P14 1) INTRODUCTION Milnbank Housing Association recognises that the Data Protection Act 1998 is an important piece of legislation to

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection for the Guidance Counsellor. Issues To Plan For Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)

More information

Data Protection Act a more detailed guide

Data Protection Act a more detailed guide Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data

More information

1. Introduction Purpose The purpose of this policy is to:

1. Introduction Purpose The purpose of this policy is to: 1. Introduction 1.1. Overview The use of Closed Circuit Television or Surveillance Cameras (collectively known as CCTV) that capture and process images of individuals, who can be identified from those

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

Information Security Policy. Appendix B. Secure Transfer of Information

Information Security Policy. Appendix B. Secure Transfer of Information Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document

More information

Data protection policy

Data protection policy Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data

More information

Incident reporting procedure

Incident reporting procedure Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Glyncoed Primary School. Data Protection Policy

Glyncoed Primary School. Data Protection Policy Glyncoed Primary School Data Protection Policy Date agreed: March 2015 Review date: March 2017 1 Data Protection Policy Glyncoed Primary School collects and uses personal information about staff, pupils,

More information

Data Protection Guidance

Data Protection Guidance 53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Data Protection Policy

Data Protection Policy Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information

Data Protection Policy

Data Protection Policy Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The

More information

Data Protection and Information Security Policy and Procedure

Data Protection and Information Security Policy and Procedure Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

Access Control Policy

Access Control Policy Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you

More information

Data Protection and Privacy Policy

Data Protection and Privacy Policy Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation.

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

USE OF PERSONAL MOBILE DEVICES POLICY

USE OF PERSONAL MOBILE DEVICES POLICY Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014

More information

Staple Hill Primary School. Data Protection Policy

Staple Hill Primary School. Data Protection Policy Staple Hill Primary School Data Protection Policy Staple Hill Primary School collects and uses personal information about staff, pupils, parents and other individuals who come into contact with the school.

More information

HORIZON OIL LIMITED (ABN: 51 009 799 455)

HORIZON OIL LIMITED (ABN: 51 009 799 455) HORIZON OIL LIMITED (ABN: 51 009 799 455) CORPORATE CODE OF CONDUCT Corporate code of conduct Page 1 of 7 1 Introduction This is the corporate code of conduct ( Code ) for Horizon Oil Limited ( Horizon

More information

Data Protection Procedures

Data Protection Procedures Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council

More information

PRIVACY POLICY Personal information and sensitive information Information we request from you

PRIVACY POLICY Personal information and sensitive information Information we request from you PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Document Management: Date Policy Approved: 29 April 2015 Date Amended: Next Review Date: April 2017 Version: 1 Approving Body: Resources Committee 1 1. Introduction The Data Protection

More information

Data Protection and Data security Policy

Data Protection and Data security Policy Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

Personal Data Protection Policy

Personal Data Protection Policy Personal Data Protection Policy Please take a moment to read the following Policy. If there is anything you do not understand then please contact us. We are committed to protecting privacy. This Personal

More information

Access to Information: Data Protection and Freedom of Information

Access to Information: Data Protection and Freedom of Information Access to Information: Data Protection and Freedom of Information Records Management Section Data protection: key concepts Personal data Sensitive personal data Data subjects Data protection principles

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

Falkirk Council Data Protection Guidelines

Falkirk Council Data Protection Guidelines Falkirk Council Data Protection Guidelines Contents Contents 2 Objectives 3 What does the Data Protection Act 1998 do? 3 Who is who under the Data Protection Act 1998? 4 Definitions 4 The Eight Principles

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

Data Protection and Community Councils Briefing Note

Data Protection and Community Councils Briefing Note Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Approved by Governors Date: 15 March 2016 Signed Chair of Governors Date of Review: Introduction Blessed Trinity RC College collects and uses personal information about staff, pupils,

More information

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each; DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

Version 1. Chair of Governors Signature.. Review Date: Spring term 2017

Version 1. Chair of Governors Signature.. Review Date: Spring term 2017 Version 1 Chair of Governors Signature.. Date of Adoption/Ratification: 4 th February 2015 Review Date: Spring term 2017 Purpose Cliff Park School s Trust collects and uses personal information about staff,

More information

EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998. Contents

EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998. Contents EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998 Contents 1. Introduction Page 2 2. The Data Protection Act 1998 Page 2 3. Review of data used in College departments Page 3 4. Security

More information

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 -

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 - Leeds City Council Data Protection Policy - 1 - Document Control Organisation Leeds City Council Title Data Protection Policy Author Mark Turnbull, Legal Services Filename DPA policyvr1.doc Owner Assistant

More information

Information Governance

Information Governance CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this

More information

SUBJECT ACCESS REQUEST PROCEDURE

SUBJECT ACCESS REQUEST PROCEDURE SUBJECT ACCESS REQUEST PROCEDURE Document History Document Reference: Document Purpose: IG31 This procedure sets out the responsibility for staff when receiving requests for information provided under

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY [Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body

More information

CIPFA DATA MANAGEMENT POLICY AND PROCEDURES

CIPFA DATA MANAGEMENT POLICY AND PROCEDURES INTRODUCTION These Policies and Procedures apply to all CIPFA volunteers that have access to, use, store and share significant amounts of personal data. It is critically important that this data is handled

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Rev No. 0 New Document 1 2 3 4 5 6 7 Revision Status Details of Amendments Name Date Update of College DPA statement New Reference to Appendix 4 Staff Guidelines ESF document retention

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

Health and Safety Policy Part 1 Policy and organisation

Health and Safety Policy Part 1 Policy and organisation Health and Safety Policy Part 1 Policy and organisation ICO H&S Policy Policy and organisation, June 2014 Page 1 of 6 1. Scope 1.1 The Health and Safety policy applies to all employees of the Information

More information