National Probation Service Data Protection Policy

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "National Probation Service Data Protection Policy"

Transcription

1 National Probation Service January 2008 UNCLASSIFIED data_protection_policy_v2.4 Page i

2 REFERENCES Title: Synopsis: for the National Probation Service to cover all members of the NPS Community Reference: PIT-SEC-POL-0005 V2.3 Status: Version No.: 2.4 Issued Date: 20 th December 2007 Originator: References: British Standards Institute National Probation Directorate /Home Office The Stationery Office A. Pearson BS ISO/IEC 27001:2005 Information Security Management Systems Specification with Guidance for Use ISO/IEC :2000 Information Security Management Part 1: Code of Practice for Information Security Management, BSI, 2000 Manual of Protective Security NPS Business Continuity Policy NPS Clear Desk Policy NPS Community Information Security Policy NPS & Internet Communications Policy NPS Incident Management Policy NPS IS & Network Monitoring Policy NPS IT Asset and IT Media Disposal Policy NPS Logical Access Control Policy NPS Password Policy NPS Physical Security Policy NPS Protective Marking Policy NPS Remote working Policy NPS Vetting Policy Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 Crime and Disorder Act 1998 Criminal Justice and Court Service Act 2000 UNCLASSIFIED data_protection_policy_v2.4 Page ii

3 Other Data Protection Act 1998 Data Protection Codes of Practice Disability Discrimination Act 1995 Electronic Communications Act 2000 Human Rights Act 1998 Lawful Business Practice (Interception of Communications) Regulations 2000 Official Secrets Act 1989 Police and Criminal Evidence Act 1984 Privacy and Electronic Communications (EC Directive) Regulations 2003 Race Relations Act (Amendment) 2000 Regulation of Investigatory Powers Act 2000 OMNI contract NOMIS V1.0 Manual of Protective Security (MPS) CHANGE RECORD Issue No Date Issued by Reason for Issue 08/08/02-15/12/04 S. Chiverton Initial draft Prior Issued Policy /02/05 L.Moeller GSI Revisions /03/05 A. Pearson Integration with NOMIS Data Protection Policy /04/05 L Moeller Deployment to Areas /04/06 A Isom Update to Processes for Handling Subject Access Requests /04/06 A Isom Update of definitions /04/06 A Isom Incorporation of Requirements for processing CONFIDENTIAL data /01/08 R Nicholls Addition of PROTECT and updated references UNCLASSIFIED data_protection_policy_v2.4 Page iii

4 DISTRIBUTION LIST Copy Issued to 1 NOMS NPS Security Project Board 2 NOMS Union and Employer Consultative Groups 3 NOMS Live Services 4 NPS Chief Officers and the NPS UNCLASSIFIED data_protection_policy_v2.4 Page iv

5 Table of Contents UNCLASSIFIED 1. INTRODUCTION BACKGROUND POLICY INTENTION CITATION AND COMMENCEMENT NPS INFORMATION GOVERNMENT PROTECTIVE MARKING SCHEME EQUALITY, DIVERSITY AND HUMAN RIGHTS REQUIREMENTS OF THE DATA PROTECTION ACT RIGHTS AND PRINCIPLES DATA PROTECTION POLICY SCOPE OF THIS POLICY POLICY OBJECTIVES NOTIFICATION THE EIGHT PRINCIPLES RETENTION GUIDELINES DATA DESTRUCTION SUBJECT ACCESS REQUESTS SUBJECT ACCESS REQUESTS PROCESS PRIOR TO IMPLEMENTATION OF NOMIS SUBJECT ACCESS REQUEST PROCESS AFTER IMPLEMENTATION OF NOMIS THIRD PARTY REQUESTS FOR PERSONAL DATA VEXATIOUS REQUESTS RESPONSIBILITIES LOCAL SYSTEMS CONTROLLER ALL AUTHORISED USERS LOCAL PROCEDURES AND CODES OF PRACTICE ANNEX A: NOMIS AIMS FOR DATA SHARING ANNEX B DATA SHARING ANNEX C TEMPLATE DATA PROTECTION NOTIFICATION ANNEX D NOMIS DATA RETENTION POLICY ANNEX E - NPS DATA PROTECTION ACT CHECKLIST ANNEX F DEFINITIONS UNCLASSIFIED data_protection_policy_v2.4 Page v

6 1. INTRODUCTION 1.1. Background The National Probation Service (NPS) areas are required to collect, use, store and process personal and sensitive personal information on Offenders, Visitors, Victims, NPS staff (including contractors and temporary staff) etc. in order to fulfil both primary operational functions and statutory requirements in the management of Offenders. By processing NPS information there is a potential risk that the freedoms and rights of the data subjects might be prejudiced. It is therefore important that each Area, and all authorised users are sufficiently informed of their duties, obligations and liabilities in accordance with the Data Protection Act 1998 (DPA) in order to; Protect the data subject and the organisation from compromise of personal information; Ensure that authorised users and Local System Controllers comply with the eight Principles of the Data Protection Act 1998 and associated Regulations; Provide a secure Information Management system in compliance with ISO 27001; Comply with the Common Law Duty of Confidentiality; Ensure that authorised users understand that they shall not breach the Data Protection Act when fulfilling a Freedom of Information Act 2000 request Policy Intention This policy provides clear objectives and responsibilities for each data controller within the NPS Community, any data processors of NPS information and all authorised users to ensure no compromise of NPS information and/or personal information. Furthermore, this Policy ensures that authorised users comply with the Data Protection Act 1998 and the NOMIS which supports the NOMIS Aims for Data Sharing which are included at Annex A to this Policy Citation and Commencement This document will be known as the National Probation Service Data Protection Policy (ref. PIT-SEC-POL-0005 PIT-SEC-POL-0005 Data data_protection_policy_v2.44 Page 1

7 Protection Policy V2.3) and will come into immediate effect for all NPS areas and authorised users. This Policy supersedes all previous versions. This document will be subject to periodic review and amendment. areas must ensure that the current version is deployed and made available to all relevant authorised users. In the event of any query concerning this Policy, enquiries should be made to the NOMS OMNI Security Team data_protection_policy_v2.44 Page 2

8 2. NPS INFORMATION The NPS processes personal information and sensitive personal information relating to offenders, victims, staff, contractors, temporary staff (including partner organisations) and other third parties. This information is contained in NPS electronic case management systems, physical files, document extracts and may also be stored on portable storage devices such as laptops, removable discs, CDs and diskettes. Authorised users will also disclose personal data and sensitive personal data to the NOMIS data controller if the authorised user inputs information into NOMIS (see Annex B Data Sharing). Likewise, an authorised user may have personal data and/or sensitive personal data disclosed to them by the NOMIS data controller when the authorised user is given the ability to view NOMIS information. If all of the above information (NPS information and NOMIS information) were to be subject to disclosure to an unauthorised third party there is a risk that harm may come to the data subject of the personal information and potentially expose a probation areas, the NPS and/or the Home Office to litigation. The risk of harm is defined within the Government Protective Marking Scheme and as such, all authorised users must comply with the NPS Protective Marking Policy Government Protective Marking Scheme For the avoidance of any doubt all personal data and all sensitive personal data processed by NPS and each probation area shall be treated as being at least RESTRICTED information (unless following a risk assessment it is agreed that PROTECT is appropriate) and must therefore be handled in accordance with the Government Protective Marking Scheme and the Manual of Protective Security Equality, Diversity and Human Rights In accordance with the Race Relations (Amendment) Act 2000 this policy has been subject to assessment of the potential adverse impact it may have on minority ethnic groups. Following this assessment it is not believed that this Policy will have any such adverse impact. This Policy has been developed in accordance with gender, disability and human rights legislation. This Policy can be made available in accordance with the Freedom of Information Act data_protection_policy_v2.44 Page 3

9 3. REQUIREMENTS OF THE DATA PROTECTION ACT 1998 The Data Protection Act applies to all recorded personal data pocessed by probation areas and therefore applies to all personal data and sensitive personal data that forms part of NPS information. Personal data relates to living, identifiable individuals and includes: Factual information; Expressions of opinion; Indications of intent (by the NOMS organisation holding the information or otherwise). Sensitive personal data relates to living, identifiable individuals and encompasses their: ethnic origin; political opinions; religious or other beliefs; trade union membership; physical or mental health; sexual life; offences; criminal proceedings and sentencing. Probation areas process large amounts of personal data and sensitive personal data. The Data Protection Act not only confers on individuals a right of access to their personal data being processed by a probation area subject to exemptions laid down in the Act but obliges probation areas (each as separate data controllers) to process such information fairly. It is critical that disclosures to third parties are not made inappropriately and in breach of the Data Protection Act. In practice, this will often mean that Areas must not disclose personal data and/or sensitive personal data on any individual to a third party without the data subject s explicit consent. However, such personal data may be disclosed without the data subjects consent to third parties when it is necessary to carry out the functions of the probation area (which will cover most day to day duties), when it is reasonable in all the circumstances and/or when there is an agreed protocol in place to govern it, e.g. with the police. Under some circumstances areas will be required to make disclosures of NPS information to third parties by law, e.g. to the courts. Under these circumstances disclosure can be made without breaching the Act. data_protection_policy_v2.44 Page 4

10 3.1. Rights and Principles Any individual on whom personal data is being processed by NPS enjoys seven rights under the DPA. These are the: right of subject access; right to prevent processing likely to cause damage or distress; right to prevent processing for the purposes of direct marketing; rights in relation to automated decision-taking; right to take action for compensation if the individual suffers damage by any contravention of the Act by the data controller; right to take action to rectify, block or destroy inaccurate data; and right to make a request to the Information Commissioner to assess if any provision of the Act has been contravened. The Data Protection Act also lays down eight principles which govern how the NPS and each individual Area must process personal data. These are that personal data must be: 1. Processed fairly and lawfully; 2. Processed for limited purposes; 3. Adequate, relevant and not excessive in relation to the purposes for which they are recorded; 4. Accurate and, where necessary, be kept up to date; 5. Kept no longer than is necessary for the purpose of purposes for which is it is being processed; 6. Processed in accordance with the Data subject s rights under the Act; 7. Kept secure and protected against unauthorised disclosure, loss or damage; and 8. Adequately protected if transferred to countries outside the European Economic Area. The principles place a number of obligations and responsibilities on each data controller within the NPS and therefore also Local Systems Controllers and authorised users which must be complied with. See section 7 of this Policy. data_protection_policy_v2.44 Page 5

11 4. DATA PROTECTION POLICY 4.1. Scope of this Policy This Policy applies to all authorised users of NPS information and NOMIS information including permanent and temporary staff employed within the NPS community as well as all contractors, partners and third parties who will have access to personal information processed by the NPS or within an aarea. This Policy applies to all NPS information including sensitive personal data processed by the NPS Policy Objectives The objectives of this Policy are to: 4.3. Notification Ensure that each probation area always holds a current and valid Data Protection Notification which warrants that they can process personal data for all their statutory requirements as well as to allow effective Data Sharing with the NOMIS data controller; Ensure that no unlawful or unauthorised processing, compromise, misuse or disclosure occurs in respect of any NPS information, NOMIS information or personal information (including sensitive personal information); Ensure that all areas comply with the rights of the data subject as defined within the Data Protection Act 1998; Ensure that all authorised users comply with this Policy; Ensure that all NPS Areas comply with the Data Protection Act 1998; Ensure that all authorised users and Local System Controllers comply with the requirements of the NOMIS Data Protection Policy. It is a legal requirement that every data controller is registered with the Information Commissioner using a Data Protection Notification. Each Local System Controller must therefore ensure that their Data Protection Officer completes and submits an up to date Data Protection Notification (the Template for which is detailed at Annex C to this Policy) with the Information Commissioner s Office on at least an data_protection_policy_v2.44 Page 6

12 annual basis to describe all the purposes for which it processes personal data. This Notification ensures that each probation area is legally allowed to process NPS information to fulfil NPS Statutory responsibilities as well as share data in accordance with the aims and objectives of NOMIS and therefore with all those organisations who have a legitimate business need to share Offender Information. Authorised users must only process NPS information in accordance with this Policy and must only share NPS information in accordance with their particular area s Data Protection Notification The Eight Principles The NPS areas must comply with the 8 Principles of the Data Protection Act The principles contain a number of obligations and responsibilities on the Local Systems Controller and the authorised user. See Section Retention guidelines Under the Data Protection Act 1998 there is a requirement to retain personal data for no longer than is necessary to meet the purposes for which they are collected which will include all personal information processed by the NPS and all personal data contained within NOMIS. The Rehabilitation of Offenders Act 1974 requires that Offender Information shall not be retained for longer than 10 years after a qualifying sentence under the Act has become spent. In order to comply with both pieces of legislation, ensure that the NOMS community requirements for data retention are met as well as meet the aims and objectives of NOMIS. The NOMIS Data Retention Policy contained within the NOMIS must be complied with in respect of NOMIS information (See Annex D). The NPS area shall store NPS information for a period of time according to the subject and issue that it is relating to. There is a legal requirement to provide retention periods for NPS information and ensure that NPS information is periodically reviewed and that any unnecessary, inaccurate, irrelevant or excessive information is removed and securely destroyed 1. 1 Reference NPS IT Asset and IT Media Disposal Policy, NPS Protective Marking Policy. data_protection_policy_v2.44 Page 7

13 The following retention periods are based on the ACOP Data Protection Code of Practice 2002 and the requirements of the Data Protection Any retention period should be treated as a benchmark as there might be situations where the data should be held for shorter or longer periods than those recommended in the table below, and these periods may also be altered by subsequent legislation or NOMS regulations. Archived and current records will be disposed of within one year of the known death of the data subject, unless there are any requirements for the record to be made available for review. Information relating to: Non statutory offender contact Statutory offender contact determinate sentences Statutory offender contact life sentences Victims Staff records unsuccessful applicants Staff records employees CRB disclosures Area and Board members and any other individuals with whom the Area has had financial dealings CCTV images recorded for accredited and other programmes for Suggested retention period: 1 year from last recorded contact 6 years from termination of last statutory supervision or report preparation. Retention of archived records beyond the initial 6 years must be based on clearly documented criteria, e.g. reference to risk of harm, and should be for a specified period only before further management review. The period and reasons for extension must be documented on the case file. Upon death of lifer or 99 years after date of birth. 1 year from the expiry date (SED) of the relevant sentence. 6 months after unsuccessful job application. 6 years after leaving Service. 6 months from date of receipt 6 years after membership or payments cease. 2 years from end of the programme, or on completion of quality assurance audit, whichever is the later date. data_protection_policy_v2.44 Page 8

14 offenders. CCTV images recorded for crime prevention and health and safety purposes. 30 days maximum, but less if this is long enough for any crime or health and safety incident to have been detected. data_protection_policy_v2.44 Page 9

15 5. DATA DESTRUCTION Authorised users shall securely dispose of electronic copies of NPS information in accordance with the retention policy in section 4 above. When any IT asset that has ever been used, either temporarily or permanently to store NPS information is determined to be excess to requirements or due for disposal, the IT asset must be disposed of using a SEAP Approved Contractor only in accordance with the NPS IT Asset and IT Media Disposal Policy. Any NPS information held in paper form that is selected for destruction must be removed in confidential waste bags and be disposed of by a competent SEAP security cleared operator or appropriate device e.g. cross cut shredder compliant with the Manual of Protective Security (MPS). data_protection_policy_v2.44 Page 10

16 6. SUBJECT ACCESS REQUESTS A Subject Access Request is a request made under Section 7 of the Data Protection Act whereby a data subject (or someone working on their lawful authority) makes a written request for access to or a copy of any of their personal data being processed by a data controller including details of any third parties to whom such personal data has been shared. In law, a Subject Access Request is made to a data controller and the data controller is required to provide an intelligible copy of all personal data and/or sensitive personal data that they are processing on the data subject and not any personal data being processed by any other data controller Subject Access Requests Process Prior to Implementation of NOMIS If a valid Subject Access Request (made in writing, providing enough information so as to identify the data subject with an address or contact details for correspondence and the inclusion of a fee of 10) is received by any individual within a probation area prior to the implementation of NOMIS, the data subject must be provided with an intelligible copy of all their personal data and sensitive personal data held in any form by the probation area concerned. Figure 1: Subject Access Request Process Prior to Implementation of NOMIS NPS Personal Data Provided to Data Subject Probation Areas Probation Area SAR Information Area Handles SAR Directly Subject Access Request from Data Subject All Subject Access Requests received by areas must be handled in accordance with this Policy and Local Procedures to be developed by each Local System Controller. data_protection_policy_v2.44 Page 11

17 6.2. Subject Access Request Process After Implementation of NOMIS In order to maintain an Open Government approach and to be as helpful as possible to data subjects, a different process must be followed when responding to valid Subject Access Requests after the implementation of NOMIS. Although not legally obliged, data controllers will be required under this Policy upon receipt of a valid Subject Access Request from a data subject to provide to the data subject an intelligible copy of all their Personal data and sensitive personal data being processed by the probation area concerned. and a copy of the NOMIS Subject Access Report available from NOMIS. Both sets of information must be provided to the data subject within 40 calendar days of receipt of the Subject Access Request. Figure 1: Subject Access Request Process Prior to Implementation of NOMIS NOMIS NPS SAR Report Personal Data Provided to Data Subject Probation Areas Probation Area SAR Information Area Handles SAR Directly Subject Access Request from Data Subject A NOMIS Subject Access Report created by an authorised user who is not a member of the NOMS Open Government Unit, shall automatically include the following statement: This NOMIS Subject Access Report is being provided voluntarily and we are not the data controller in respect of this information. The data controller is the Chief Executive of NOMS and therefore all queries pertaining to the Report should be directed to the Open Government data_protection_policy_v2.44 Page 12

18 Unit within NOMS. We cannot accept any liability for the accuracy of any information contained within this Report or omitted from this Report. If a data subject makes any subsequent requests for any further personal data and/or sensitive personal data that they believe is being processed on them within NOMIS, the data subject must be advised to contact the Open Government Unit within NOMS. The Open Government Unit will handle the data subject s subsequent request directly Third party Requests for Personal data In general, Subject Access Requests can be made on behalf of a data subject (e.g. by a solicitor or family member) provided it contains the fee and the signed authority of the data subject to disclose their personal data to that person Vexatious Requests Probation areas are not required to comply with vexatious Subject Access Requests or requests which have been repeated within an unreasonably short length of time. The term vexatious is not defined in the Act. data_protection_policy_v2.44 Page 13

19 7. RESPONSIBILITIES Each probation area must ensure that any processing of personal data and sensitive personal data is carried out in accordance with the Data Protection Act, their Data Protection Notification and the Data Protection Act Principles Local Systems Controller There is a duty in law to maintain the Confidentiality of NPS information which is disclosed to a Probation area(s) and/or the NPS in pursuance of a statutory duty or under the Law of Confidence. Failure to maintain Confidentiality of NPS information may result in a breach of the Official Secrets Act 1989 or a civil suit. Probation area Boards have a corporate responsibility whilst their members, employees, contractors and temporary staff have individual responsibility to maintain the Confidentiality of Personal information. It is the responsibility of the Data controller to comply with the 8 principles of the Data Protection Act These are referenced in the table below. It is the responsibility of the Data controller to ensure that before any Personal data is processed that at least one of the conditions set out in the DPA is met. These include: The Data subject has given consent to the Processing (not required for the fulfilment of a statutory function); The Processing is necessary for the performance or setting up of a contract or other contract to which the Data subject is party; Processing is necessary for non-contractual legal obligations; Processing is necessary to protect the vital interests of the Data subject; Processing is necessary for the administration of justice or functions of a public nature (this will most often be the case in respect of individual Area s Processing of both Offender and Victim Personal information); Processing is necessary for the purposes of the legitimate interests pursued by the Data controller or a third party to whom the Personal data is disclosed. data_protection_policy_v2.44 Page 14

20 If the Processing includes Sensitive Personal data at least one of the following further set of conditions must be met: The Data subject has given explicit consent to the processing (not required to fulfil a statutory function); Processing is lawful or a legal requirement in connection with employment; Processing is necessary to protect the vital interests of the Data subject or another person; The Data subject has already taken deliberate steps to make the information public; Processing is necessary in connection with legal proceedings; Processing is necessary for administration of justice or exercise of crown functions (this will most often be the case in respect of individual Area s Processing of both Offender and Victim Personal information); Processing is necessary for medical purposes and is undertaken by a health professional. Local System Controller responsibilities are detailed in the table below All Authorised users Under the Data Protection Act 1998 individual employees, contractors, temporary staff and/or managers may be held criminally liable for instances in which Personal information, or information obtained in confidence, is disclosed, knowingly or recklessly, outside the terms of the relevant Probation area s Data Protection Notification. In certain circumstances, Data subjects can sue for compensation if third parties (which can include employees, contractors and temporary staff who have no legitimate business justification to Process the Personal information) obtain Personal information about Data subjects unjustifiably (without legitimate business reason in accordance with the particular Areas s Data Protection Notification). Where any authorised user exceeds their lawful authority to process NPS or personal information, they may be liable to prosecution under the Computer Misuse Act Authorised users responsibilities are detailed in the table below. Breach of this policy may result in disciplinary action. data_protection_policy_v2.44 Page 15

21 Local System Controller (Data controller) and Authorised user Responsibilities in accordance with the 8 Principles of the Data Protection Act DPA Principle Data controller Authorised user 1 Personal data shall be Processed Fairly and Lawfully Personal information must only be processed if one of the conditions laid down in Schedule 2 to the Data Protection Act is met such as those purposes specified in Part 1 of the Criminal Justice and Court Service Act 2000 and in any other relevant subsequent legislation. Maintain an up to date data protection notification with the Information Commissioner as detailed within Annex C of this Data Protection Policy. If there is no statutory purpose for processing Offender/Victim personal data ensure that the data subjects are informed of the purpose or purposes for which the NPS information is processed and the range of third parties with whom the data will be shared. Only process sensitive personal data with the Only process personal data in accordance with their particular area s data protection notification. Only process sensitive personal data with the express consent of the data subject or where it is data_protection_policy_v2.4 Page 16

22 DPA Principle Data controller Authorised user express consent of the data subject or where it is required by law or by the statutory duties placed upon the NPS or in cases where one of the other conditions laid down in Schedule 3 to the Data Protection is met. For the avoidance of any doubt, if there is a statutory requirement to process sensitive personal data there is no requirement to obtain consent from the data subject. Appoint a Data Protection Officer to ensure compliance with the Data Protection Act and this Policy including: Manage Data Protection Subject Access Requests and general Data Protection enquiries; Maintain an up to date level of knowledge of Data Protection Act legislation, case law and relevant developments within related legislative areas; required by law or by the statutory duties placed upon the NPS or in cases where one of the other conditions laid down in Schedule 3 to the Data Protection Act is met. For the avoidance of any doubt, if there is a statutory requirement to process sensitive personal data there is no requirement to obtain consent from the Data subject. data_protection_policy_v2.4 Page 17

23 DPA Principle Data controller Authorised user Encourage, monitor and audit compliance with this NPS ; Promote awareness and provide guidance and advice on the Data Protection Act 1998 as it applies within the particular probation area, through training and procedural development; Liaise with external organisations on Data Protection Issues; Advise Authorised users of their responsibilities under the Data Protection Act 1998, including Subject Access requests. Report any failures to comply with this Data Protection Policy in accordance with the NPS Incident Management Policy. Manage all failures to comply with this Data Protection Policy in accordance with the NPS Incident Management Policy. 2 Personal data shall only be obtained and Processed Ensure that the Data Protection Officer submits a valid data protection notification which is data_protection_policy_v2.4 Page 18

24 DPA Principle Data controller Authorised user for one or more purposes registered with the Information Commissioner, using the template as detailed in Annex C of this Policy. Maintain necessary updates and renewal of the Notification to ensure that the purpose or purposes for which the personal information is collected is available to the data subject. Ensure that any potential changes to processing are reported immediately to the Data Protection Officer. Ensure that personal information forming NPS information that is shared with other organisations for research purposes is not used by the recipient to make any decisions concerning the data subject. Ensure written consent of the data subject for any use of personal data for training or public relations purposes. Do not share personal information with third parties for research purposes without the express permission of the Local System Controller. Never use personal data for public relations purposes without the express consent of the Local System Controller. Ensure that if NPS information is shared with partners or organisations outside the NPS, and this is not a statutory duty or necessary for the administration of justice or does not meet one of the other conditions laid down in Schedule 2 of data_protection_policy_v2.4 Page 19

25 DPA Principle Data controller Authorised user the Data Protection Act, an Information Sharing Protocol is in place to certify that the recipients have appropriate security measures implemented. 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are Processed Ensure that only relevant personal data is collected and processed on data subjects. Ensure that excessive personal data is not processed on data subjects. Ensure that there is adequate personal data held on a data subject to make sure that the data subject making a Subject Access Request can be identified and validated as being the subject of the personal data. Review any active relevant filing system containing personal data at regular intervals to ensure that the personal data held therein is no more than is required for the notified purposes and the personal data is adequate to identify the data subject and fulfil the purpose for which it Ensure that only relevant personal data is collected and processed on data subjects. Ensure that no excessive personal data is processed on data subjects and/or stored in private files. data_protection_policy_v2.4 Page 20

26 DPA Principle Data controller Authorised user has been collected. Ensure that all data collection forms and procedures do not seek personal data beyond that which is relevant and necessary for the purposes for which it is processed. 4 Personal data shall be accurate and, where necessary, kept up to date Ensure that procedures are in place to achieve the highest possible level of accuracy of personal data processed in the area. Provide procedures and communicate these to authorised users for updating personal records promptly as new data becomes available. Undertake regular audits of personal data accuracy according to local procedures. Ensure an audit trail of any disputes regarding the accuracy of personal data and any assessments of the data subject. Comply with local procedures to ensure data accuracy. Update all personal data as soon as any changes come to your attention. If a data subject disputes the accuracy of the personal data being processed on them, contact your Local System Controller if you cannot resolve the issue quickly and readily. data_protection_policy_v2.4 Page 21

27 DPA Principle Data controller Authorised user 5 Personal data shall not be kept for longer than is necessary for the purpose or purposes for which it is Processed 6 Personal data shall be processed in accordance with the rights of the Data Provide written procedures and communicate these to Authorised users for responding to complaints about the accuracy of data processed by the organisation. Comply with the Data Retention Guidelines (ref: 4.5) included within this Policy. Produce local procedures in accordance with the ACOP Data Protection Code of Practice Conduct regular audits to ensure that all archived electronic and paper files will be marked with an earliest date for disposal or for further review. Ensure that all reviews of archived files beyond their earliest disposal date will be conducted at least annually. Comply with the Subject Access Guidelines (ref:6) contained within this Data Protection Comply with local procedures for managing complaints about personal data accuracy. Comply with the Data Retention Guidelines included within this Policy. Mark all personal data in accordance with the local procedures. data_protection_policy_v2.4 Page 22

28 DPA Principle Data controller Authorised user subject Policy. Provide written procedures for handling and responding to a Subject Access Request (SAR) and communicate these to all authorised users. Develop written complaints procedures, communicate these to authorised users and make them available for any data subject or any other interested party. Ensure that the number of subject access requests, objections to processing, and objections to data accuracy, are recorded and reviewed regularly to assess implications for local procedures. Provide a written notice to explain the basis of the decision to any data subject who is significantly affected by a decision based solely on the processing by automatic means of personal data. Ensure that all relevant filing systems Handle Subject Access Requests in accordance with local procedures. Ensure that any complaints relating to the use of personal data are handled in accordance with local procedures. Obtain authority from a senior manager before relying on a statutory exemption under the DPA 1998, for withholding personal data from a SAR. Ensure that no personal data on a Third party is released as part of a SAR without the consent of the Third party, unless this is public knowledge or reasonable to disclose given the circumstances. Ensure positive identification of the data subject before any personal data is disclosed. data_protection_policy_v2.4 Page 23

29 DPA Principle Data controller Authorised user maintained by the probation area that may be accessed in response to a subject access request are defined. 7 - appropriate technical and organisational measures shall be taken to secure Personal data Ensure that NPS information security policies are implemented and complied with throughout the area. Ensure all authorised users sign a Confidentiality Statement in accordance to the common law duty of confidentiality and the protection of personal data in accordance to the DPA. Provide written information describing local procedures and training to inform all Authorised users of their responsibilities for Data Protection, as set out in this Policy. Ensure that NPS information is only processed on NPS IT Assets. Provide local procedures for disposal of NPS information. Sign a confidentiality statement to acknowledge that you have been informed of your individual responsibilities and liabilities for protecting personal data. Read any briefing notices and undertake all training as required to ensure compliance with this Policy. Do not process NPS information on non IT Assets. Comply with local procedures for disposal of NPS information. data_protection_policy_v2.4 Page 24

30 DPA Principle Data controller Authorised user Ensure that all authorised users comply with the following NPS Policies; NPS Business Continuity Policy NPS Clear Desk Policy NPS & Internet Communications Policy NPS Community Information Security Policy NPS Incident Management Policy NPS IS & Network Monitoring Policy NPS IT Asset and IT Media Disposal Policy NPS Logical Access Control Policy Ensure that you comply with the following NPS Policies when processing NPS information; NPS Business Continuity Policy NPS Clear Desk Policy NPS & Internet Communications Policy NPS Community Information Security Policy NPS Incident Management Policy NPS IS & Network Monitoring Policy NPS IT Asset and IT Media Disposal Policy NPS Logical Access Control Policy data_protection_policy_v2.4 Page 25

31 DPA Principle Data controller Authorised user NPS Password Policy NPS Physical Security Policy NPS Protective Marking Policy NPS Remote working Policy NPS Vetting Policy Ensure that use of CCTV is reviewed annually for compliance with the DPA. Ensure that the local Codes of Conduct and Disciplinary Procedures address breaches of the NPS. NPS Password Policy NPS Physical Security Policy NPS Protective Marking Policy NPS Remote working Policy NPS Vetting Policy Take special precautions when working in remote working locations to ensure the confidentiality and integrity of NPS information. Particular note should be taken of NPS diaries which will contain personal data about other colleagues as well as Offenders and Victims. Do not give any unauthorised user access to any personal data contained on any IT Asset. Never share your password for access to IT Assets with any third party or any other data_protection_policy_v2.4 Page 26

32 DPA Principle Data controller Authorised user authorised user. Never attempt to access the Communications Infrastructure using any other authorised user s password. Protect all personal data in accordance with the Government Protective Marking Scheme (GPMS) and NPS Protective Marking Policy. Never share personal data such as that contained within ViSOR with any third party such as friends or family. Never leave a computer terminal unlocked i.e. available to any third party to use. Ensure that all electronic copies and paper based copies of personal data cannot be viewed or retrieved by any third party or any authorised user who does not have the appropriate access permissions to see the information. data_protection_policy_v2.4 Page 27

33 DPA Principle Data controller Authorised user 8 Personal data shall not be transferred outside the European Economic Union without an adequate level of protection Ensure that no personal data is transferred outside the European Economic Union, unless the personal data is protected appropriately in other ways, the Data subject has given explicit consent or the transfer is in accordance to statutory requirements. Complete and ensure ongoing compliance with the NPS Data Protection Checklist as detailed in Annex E. Do not transfer any personal data contained within or derived from NPS or NOMIS to countries outside the European Economic Area unless there is a statutory requirement to do so and/or the data subject has given their explicit consent in writing or Schedule 4 to the Data Protection Act applies. data_protection_policy_v2.4 Page 28

34 8. LOCAL PROCEDURES AND CODES OF PRACTICE Local procedures and Codes of Practice, in support of this policy, provide detailed information relating to Data Protection within each Probation area. In the event of any uncertainty Authorised users should contact their Local System Controller, who is responsible for creation and maintenance of local procedures. Local procedures shall include such definitions as are necessary and shall describe the specific details involved and special arrangements within the Area, including staff contact details etc. data_protection_policy_v2.4 Page 29

35 ANNEX A: NOMIS AIMS FOR DATA SHARING Principle 1 NOMS Information is a corporate resource. It belongs to the organisation - it does not belong to any individual or group, except where specific confidentiality rules apply. Principle 2 There must be a shared understanding that any party who uses the NOMIS system, by implication, allows all parties, with relevant access controls, to use the system to read, create and update data present on NOMIS. Principle 3 Information must be made accessible to others in the NOMS community, except where there is a specific reason not to. Principle 4 It is necessary to adopt a consistent approach to managing information across the whole of the NOMS. Principle 5 Information will need to be retained for prescribed periods on behalf of NOMS. Principle 6 Information created on behalf of NOMS must be accurate and fit for purpose. Principle 7 NOMS staff are personally responsible for the effective management of the information they create or use. Principle 8 In managing information staff must comply with the relevant statutory and regulatory requirements. Principle 9 All data that is held on NOMIS will be at no higher than RESTRICTED. data_protection_policy_v2.4 Page 30

36 ANNEX B DATA SHARING NOMIS In order to create an effective end to end Offender Management Service and effective rehabilitation of Offenders it is essential to have an unfettered exchange of Offender Information within the NOMS community and with particular Third Parties such as the Department for Health, Voluntary and Community Sector who run accredited rehabilitation programmes and DfES. This requires the ability to share Offender and Victim Information in both a timely and efficient manner with those users who have a legitimate business need to utilise the information. This will materially assist with the management and rehabilitation of Offenders and will help work towards a real reduction in re-offending rates. The most effective way to achieve this is to share Offender Information electronically in real time within the legal framework of the Data Protection Act 1998 and other related legislation. Delays in information exchange may potentially cause harm to Offenders, employees and contractors as well as victims. NOMIS is a single national database, the first of its kind, to provide such a real time data sharing capability. The sharing of Offender Information has many risks associated with it. The NOMIS Code of Connection and Authorised users compliance with all the supporting NOMIS policies and procedures ensures that NOMIS maintains the Confidentiality, Integrity and Availability of NOMIS information at all times. The NOMIS Data controller requires that all Authorised users accessing NOMIS comply with the NOMIS. There will be occasions when NOMIS information will need to be shared with other Criminal Justice Organisations and third parties in pursuance of their support for an offender outside of traditional rehabilitation facilities. data_protection_policy_v2.4 Page 31

37 NOMIS Data controller The Data controller for NOMIS is the Secretary of State who has delegated their responsibilities and powers for NOMIS to the Chief Executive of NOMS and shall be referred to within this Policy as the NOMIS Data controller. For the avoidance of any doubt the Data controller for all information contained within NOMIS is the Chief Executive of NOMS. As such, no other person or organisation is authorised to determine the manner in which NOMIS is used by any Authorised user. This Policy details the manner in which the Chief Executive of NOMS requires that NOMIS and all NOMIS information be handled and Processed. As such, all Authorised users and Local System Controllers must comply with the NOMIS Code of Connection, the NOMIS Data Protection policy and all other policies and procedures which form part of the NOMIS Code of Connection. Failure to do so will result in removal of all access rights to NOMIS and in certain cases may lead to criminal and/or civil actions being taken against an individual. Disclosure of NOMIS information NOMIS information will be disclosed to Authorised users within NOMS Organisations whenever an Authorised user accesses an Offender or Victim record within NOMIS. This is a legal disclosure of the Offender (and potentially victims as well) Personal data and/or Sensitive Personal data from the NOMIS Data controller to the Authorised user. For the avoidance of any doubt, the NOMIS must be complied with by all Authorised users to govern their Processing of Offender (and potentially Victim as well) Personal data and Sensitive Personal data when the NOMIS Data controller discloses Personal data from NOMIS to an Authorised user. data_protection_policy_v2.4 Page 32

38 Transfers of NOMIS information in to other Systems Authorised users may, on occasions, be required to transfer NOMIS information into IT systems not controlled by the NOMIS Data controller. Such transfers of NOMIS information may only be made in pursuance of a statutory duty and shall comply at all times with the written instructions of the NOMIS Data controller which may be amended from time to time. Transfer of NOMIS information to Third Parties There will be occasions when NOMS will need to take copies of information derived from NOMIS to share with other organisations such as Social Services and Customs and Excise, for example. For the avoidance of any doubt Authorised users shall only transfer copies of Personal data and/or Sensitive Personal data to organisations listed on the NOMS Data Sharing List managed by the NOMS Open Government Unit. For advice as to which organisations NOMIS information can be shared with, contact the NOMS Open Government Unit. data_protection_policy_v2.4 Page 33

39 ANNEX C TEMPLATE DATA PROTECTION NOTIFICATION Purpose 1 STAFF ADMINISTRATION This is processing for the purposes of appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the Data controller. Data subjects Probation Board and Area members Staff employed by service providers commissioned/contracted to NOMS Staff including volunteers, agents, temporary and casual workers past, present and prospective. Data Classes Criminal proceedings, outcomes and sentences Disability/impairment Education and training details Employment details Family, lifestyle and social circumstances Financial details Goods or services provided Offences (including alleged offences) Personal details Physical or mental health Racial or ethnic origin Religious or other beliefs of a similar nature Sexual life Sexual Orientation Trade Union Membership Recipients Central Government (including the National Probation Directorate/National Offender Management Service) Current, past or prospective employers of the data subject Data processors Data subjects themselves Education, training establishments and examining bodies Employees and agents of the data controller Employment and recruitment services Financial organisations and advisers Healthcare, social and welfare advisers or practitioners Local Government (including Probation area Boards) Relatives, guardians or other persons associated with the data subject data_protection_policy_v2.4 Page 34

40 Suppliers, providers of goods and services Trade, employer associations and professional bodies Secretary of State Transfers of Personal data None outside of the European Economic Area Purpose 2 ADMINISTRATION OF JUSTICE Discharging court business Internal administration and management of courts of law or tribunals Prevention of crime Protection of the Public and Staff Research concerned with the effectiveness of Probation practice Supervision, management, punishment and rehabilitation of offenders Data subjects Advisers, consultants and other professional experts Complainants, correspondents and enquirers Customers and clients Health Care providers Local Authority staff Offenders and suspected offenders Persons given a caution or final warning Persons subject to judicial disposals including convictions, bind-overs, discharges, acquittals, orders made under legislation (e.g. Harassment Act 1997) Police officers Relatives, guardians and associates of the data subject Sentencers Staff from organisations providing services to NOMS and to an Offender Staff including volunteers, agents, temporary and casual workers Suppliers of services and facilities that support the administration of justice Victims of crime Witnesses Data Classes Business activities of the data subject Criminal intelligence Criminal proceedings, outcomes and sentences data_protection_policy_v2.4 Page 35

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

DATA PROTECTION AUDIT GUIDANCE

DATA PROTECTION AUDIT GUIDANCE DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data

More information

Data Protection Act a more detailed guide

Data Protection Act a more detailed guide Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Data Protection Policy

Data Protection Policy Data Protection Policy BMBC Data Protection Policy V1 Page 1 of 7 Table of Contents 1 INTRODUCTION... 3 2 POLICY STATEMENT... 3 3. SCOPE... 3 4 DATA PROTECTION PRINCIPLES... 4 5 PREREQUISITE CONDITIONS

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information

More information

BAILIWICK OF GUERNSEY DATA PROTECTION

BAILIWICK OF GUERNSEY DATA PROTECTION BAILIWICK OF GUERNSEY DATA PROTECTION CODE OF PRACTICE: CRIMINAL RECORDS CHECK PREFACE Section 56 of the Data Protection (Bailiwick of Guernsey) Law, 2001 ( the DP Law ), as amended by Ordinance in 2010

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

INFORMATION PRIVACY STATEMENT

INFORMATION PRIVACY STATEMENT INFORMATION PRIVACY STATEMENT Victoria Police is bound by the Privacy and Data Protection Act 2014 in how it manages personal information. Victoria Police is committed to protecting the personal information

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

SUBJECT ACCESS REQUEST PROCEDURE

SUBJECT ACCESS REQUEST PROCEDURE SUBJECT ACCESS REQUEST PROCEDURE Document History Document Reference: Document Purpose: IG31 This procedure sets out the responsibility for staff when receiving requests for information provided under

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

Chapter 1 Introduction and guidance for employers

Chapter 1 Introduction and guidance for employers A Thorogood Special Briefing Chapter 1 Introduction and guidance for employers Introduction Subject access request Compliance Changing law The Employment Practices Code Personal data Making access requests

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the

More information

Access to Information: Data Protection and Freedom of Information

Access to Information: Data Protection and Freedom of Information Access to Information: Data Protection and Freedom of Information Records Management Section Data protection: key concepts Personal data Sensitive personal data Data subjects Data protection principles

More information

DISCLOSURE & BARRING SERVICE (DBS) POLICY

DISCLOSURE & BARRING SERVICE (DBS) POLICY DISCLOSURE & BARRING SERVICE (DBS) POLICY Human Resources and Organisational Development Changes February 2009: Policy introduced April 2010: Styling revised in line with corporate guidelines September

More information

Information Governance Policy

Information Governance Policy Author: Susan Hall, Information Governance Manager Owner: Fiona Jamieson, Assistant Director of Healthcare Governance Publisher: Compliance Unit Date of first issue: February 2005 Version: 5 Date of version

More information

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

2012 No. 1204 POLICE, ENGLAND AND WALES. The Police (Complaints and Misconduct) Regulations 2012

2012 No. 1204 POLICE, ENGLAND AND WALES. The Police (Complaints and Misconduct) Regulations 2012 STATUTORY INSTRUMENTS 2012 No. 1204 POLICE, ENGLAND AND WALES The Police (Complaints and Misconduct) Regulations 2012 Made - - - - 1st May 2012 Laid before Parliament 3rd May 2012 Coming into force - -

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

Data Protection Policy

Data Protection Policy Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order

More information

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each; DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.

More information

DATA PROTECTION POLICY. DATA PROTECTION POLICY Reviewed and Adopted April Signed...COG...HEAD

DATA PROTECTION POLICY. DATA PROTECTION POLICY Reviewed and Adopted April Signed...COG...HEAD DATA PROTECTION POLICY DATA PROTECTION POLICY Reviewed and Adopted April 2016 Signed...COG...HEAD Next review April 2018 Data Protection Policy AIMS This policy sets out the Council s commitment to the

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose

MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY Index: Introduction Information is a Corporate Resource Personal Responsibility Information Accessibility Keeping Records of what we do Ensuring

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

Data Protection Policy

Data Protection Policy Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014 Contents 1 Purpose... 2 2 Policy...

More information

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Businesses (Credit Information) Regulations 2015

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Businesses (Credit Information) Regulations 2015 Draft Regulations to illustrate the Treasury s current intention as to the exercise of powers under clause 4 of the the Small Business, Enterprise and Employment Bill. D R A F T S T A T U T O R Y I N S

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise

More information

Data Protection and Data security Policy

Data Protection and Data security Policy Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us

More information

Data protection policy

Data protection policy Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

The Chafford School. Data Protection and Freedom of Information Policy

The Chafford School. Data Protection and Freedom of Information Policy The Chafford School Data Protection and Freedom of Information Policy INDEX Aims & Objectives... 3 Data Protection The law... 3 Processing, storing, archiving and deleting personal data: Guidance... 3

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

London Borough of Brent Joint Regulatory Services ENFORCEMENT POLICY

London Borough of Brent Joint Regulatory Services ENFORCEMENT POLICY London Borough of Brent Joint Regulatory Services ENFORCEMENT POLICY Date of implementation: 01/11/05 Issue No:01 Issued by: Stephen Moore Executive approval: 12/09/2005 INTRODUCTION 1. This document sets

More information

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection for the Guidance Counsellor. Issues To Plan For Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)

More information

1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities.

1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities. Data Protection Policy 2011 Contents Page 1. Introduction... 3 2. Statement of Policy. 3 3. The Eight Principles of Data Protection...... 4 4. Scope.... 5 5. Roles and Responsibilities. 5 6. Development

More information

Data Protection Guidance

Data Protection Guidance 53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection

More information

Data Protection and Privacy Policy

Data Protection and Privacy Policy Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation.

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Personal Data Act (1998:204);

Personal Data Act (1998:204); Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their

More information

2015 No. 1945 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Credit Information) Regulations 2015

2015 No. 1945 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Credit Information) Regulations 2015 S T A T U T O R Y I N S T R U M E N T S 2015 No. 1945 FINANCIAL SERVICES AND MARKETS The Small and Medium Sized Business (Credit Information) Regulations 2015 Made - - - - 26th November 2015 Coming into

More information

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

DATA PROTECTION CORPORATE POLICY

DATA PROTECTION CORPORATE POLICY DATA PROTECTION CORPORATE POLICY Information Management V1.1 03 July 2012 Not protectively marked This policy must be complied with fully by all Members, Officers Agents and Contractors of Plymouth City

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Information Assurance Policies and Guidance. Information Governance Policy. Document Version: v0.5 Review Date: 1 May 2016

Information Assurance Policies and Guidance. Information Governance Policy. Document Version: v0.5 Review Date: 1 May 2016 Information Assurance Policies and Guidance Information Governance Policy Document Version: v0.5 Review Date: 1 May 2016 Owner: Information Governance Manager 1 P a g e Document History Revision Version

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information

Employment Manual REHABILITATION OF OFFENDERS AND SELF DISCLOSURE POLICY

Employment Manual REHABILITATION OF OFFENDERS AND SELF DISCLOSURE POLICY Employment Manual REHABILITATION OF OFFENDERS AND SELF DISCLOSURE POLICY CONTENTS INTRODUCTION TO REHABILITATION OF OFFENDERS ACT 1974... 1 EXCEPTIONS TO THE ACT... 1 MODIFICATIONS TO THE ACT... 1 POLICY...

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Data Protection Act 1998 Codes of Practice. The Employment Practices DP Code Part 1: Recruitment and Selection

Data Protection Act 1998 Codes of Practice. The Employment Practices DP Code Part 1: Recruitment and Selection Data Protection Act 1998 Codes of Practice The Employment Practices Data Protection Code CONTENTS CONTENTS... 1 Who is the Code for?... 3 Why should you use it?... 3 Other parts of the Code... 3 Five sections...

More information

Information Security Policy. Appendix B. Secure Transfer of Information

Information Security Policy. Appendix B. Secure Transfer of Information Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

INTERNATIONAL SOS. Data Protection Policy. Version 1.05 INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

CROATIAN PARLIAMENT 1364

CROATIAN PARLIAMENT 1364 CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Council Tax Reduction Anti-Fraud Policy

Council Tax Reduction Anti-Fraud Policy Council Tax Reduction Anti-Fraud Policy Richard Davies Head of Revenues and Benefits, Torfaen Head of Benefits, Monmouthshire April 2015 1 Contents Section 1. 3 Background 3 Legislation and Governance

More information