1 DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data classes List of recipients
3 SECTION I: Audit of Processing 1.1 The audit of all processing of personal data within a department is by far the largest task that a Data Protection Co-ordinator will have to undertake and is the most important in ensuring that the University meets its obligations under the Data Protection Act Under the Act, the University is required on an annual basis to notify the Information Commissioner of all processing of personal data undertaken by the University, and inform the Information Commissioner of any changes to such processing or any new processing during the course of the year. 1.3 The information required by the Information Commissioner includes the purposes for which data is being processed, the data subjects about whom personal data is held, the classes of data held, recipients of that data and details of transfers of data overseas. While this information can be reported to the Information Commissioner in a summarised form for the University as a whole, an audit of all processing within the University is necessary to ensure that the notification is complete and accurate. 1.4 The University is also required to ensure that all processing of personal data is compliant with the provisions of the Act and to be able to provide evidence of compliance. A further purpose of the audit process is to verify that the processing complies with each of the Eight Principles of Data Protection and to provide such evidence. 1.5 Overall, the purposes of the audit are: a) to provide details of processing for notification to the Information Commissioner; b) to identify areas where action needs to be taken to ensure compliance; c) to provide information to assist in responding to requests from data subjects for access to their personal data held by the University. 1.6 Although it is not necessary to notify the Information Commissioner of the processing of personal data held in manual form, such processing will still need to be audited to ensure compliance and to assist in responding to data subject access requests. 1.7 It is not intended that miscellaneous letters and s held on computer should be included in the audit process. However, it should be noted that data subjects do have the right to access personal data contained within such documents. Each department should therefore have a policy with respect to management of these documents that will ensure compliance and assist in the retrieval of personal data where necessary. 1.8 The audit of processing must be carried out on an annual basis. The Data Protection Officer must also be informed of any changes or additions to processing during the intervening period. 1.9 Where the audit indicates a possible failure to comply with the legislation, the matter should be first raised with the member of staff responsible for the data and, where
4 feasible, appropriate remedial action taken immediately. Details of both the failure to comply and the action taken should be recorded on the audit form The audit forms should be passed to the Head of Department for authorisation before being sent to the Data Protection Officer. Copies of the audit will be retained by both the department and the Data Protection Officer. SECTION II: Audit Procedure 1. Scope of the audit All personal data held in electronic format or contained within a structured manual filing system must be audited. In particular, but not exclusively, the audit will cover personal data held in the following systems and formats: - Computer databases; - Document management systems (including documents stored in standard directory structures provided by such facilities as CFS) - Individual computer files where appropriate eg. spreadsheets and other such analysis tools, word-processed lists; - Structured directories; - Structured manual filing systems that can be referenced by individual e.g. Student files, staff files, survey data forms, examination scripts, holiday charts/lists, directories, publication lists; - Web-pages - Photographs - Microfiche - Video/audio recordings - Tissue samples 1.3 Please note that in conducting the audit it will be necessary to meet with all staff within the department to ensure that all processing of personal data is covered. 2. Frequency of audit Departments must conduct an audit on an annual basis. After the initial audit, subsequent audits should require only the amendment of previous audit details. Between each audit any changes in processing (additions, deletions and amendments) must be notified to the Data Protection Officer. 3. The Audit Process For each collection of data an Audit Form must be completed. The form is in two parts. Part A requires the completion of details for notification purposes (and also for assisting in
5 responding to data subject access requests). Part B is a series of questions intended to highlight any areas of non-compliance. A copy of the form is given in Appendix A. Instructions for completing both parts of the form are given below. Audit Form Part A: Notification Details Instructions for completion All parts must be completed do not leave blanks. If something is not applicable, or if the information is not available or not known, please indicate this on the form. Department: Enter department name and sub-department or division where appropriate. Data Collection Name: Enter the name of the collection by which it is known in the department or other reference. Description: Enter a brief description of the data collection. Data Owner: Enter the name and position of the person within the department with responsibility for management and control of the data. Contact details: Enter contact details for the Data Owner. Location of data: Specify the locations where the data is held. If held on computer please specify the location of the computer equipment. Data Formats: Tick the formats in which the data are held. Purpose for processing: Select one of the purpose codes as described in Appendix B for processing the personal data held in the data collection. If none are appropriate please describe the purpose for processing. Data subjects: A data subject is an individual about whom data are held. Select one or more of the data subject codes as described in Appendix C. For data subjects not covered by this list please enter a description. Data Classes: Data classes are the types of personal data which are being or which are to be processed. Select all relevant data class codes as described in Appendix D. For classes of data not covered by this list please enter a description. Please note that codes C206 to C213 all refer to sensitive personal data as defined within the Act. Sources of personal data: Indicate whether the personal data are obtained from the data subject or from a third-party. If a third-party please enter a description. Recipients of personal data: Recipients are individuals or organisations to whom the University intends or may wish to disclose data. It does not include any person to whom the University may be required by law to disclose in any particular case, for example if required by the police under a warrant. Select all recipient codes as described in Appendix E. For recipients of data not covered by this list please enter a description.
6 Transfer of personal data overseas: Indicate whether personal data are transferred outside the European Economic Area (EEA) 1. The choices are: None outside the EEA Worldwide Name individual countries outside the EEA (if there are more than 10 countries indicate Worldwide.) A transfer is not defined in the Act. However, the ordinary meaning of the word is transmission from one place, person, etc to another. This will include posting information on a website which can be accessed from overseas. In these circumstances it would be appropriate to indicate worldwide Processing of data by third parties: Please specify any contractors or organisations that process any of the data on behalf of the University or have direct access to the data in the course of their work for the University. Audit Form Part B: Compliance Details Instructions for completion All parts must be completed do not leave blanks. If something is not applicable, or if the information is not available or not known, please indicate this on the form. To ensure the processing complies with the requirements of the Data Protection Act tick Yes or No in response to the following questions. If not applicable, please indicate. The questions relate to the Principles of Data Protection as indicated below. Fair and lawful processing (First Principle) Q1 Q2 Q3 Q4 Q5 Has the data subject been informed of the processing? Has the data subject been informed of the people or organisations their data may be passed onto? Has the data subject given their consent to the processing? If the data subject has not given their consent, can the processing be justified on the basis of necessity (see Schedules 2 and 3 of the Act in Appendix 6.3 of the Data Protection Code of Practice for definitions of necessary processing)? If the data collection includes sensitive data (data classes C206 C213) has the data subject given their explicit consent to process such data? Lawful, clear and specific purposes (Second Principle) Q6 Is the processing of the data legal? 1 At the time of publication the countries in the EEA are the 27 EU members states plus Norway, Liechtenstein and Iceland. Switzerland is considered to have adequate data protection controls.
7 The legality of the processing must not be in question. For example, it is unlawful to use a person s National Insurance number as a personal identifier. Q7 Q8 Has it been made clear to the data subject what the data will be used for? Have any non-obvious uses of the data been made clear to the data subject, i.e. things that the data subject would not have realised you were doing from a general description of the processing? Adequate and minimum necessary data (Third Principle) Q9 Q10 Q11 Q12 Q13 Is there a clear reason for processing each item of data? Has it been verified that the same outcome could not be achieved, safely and effectively, with less data? Where information is collected on a form, does it indicate to the data subject that information which is essential and that which is voluntary to give? Is the information that is being processed adequate for the purpose? For example, if information is collected with the intention of using it later to prove the identity of individuals, a first and last name may not be enough. Is the information that is being processed no more than is necessary? For example, in collecting information for identification purposes it may be excessive to request a person s last three addresses. Accuracy of data (Fourth Principle) Q14 Q15 Have steps been taken to ensure the accuracy of the data? Is there a system of rolling reviews of data to keep the data up to date? [Note: if data is inaccurate or out of date it would not only breach the fourth Principle, but it could breach the third as well, because the data might not be adequate for the purpose.] Retention of data (Fifth Principle) Q16 Q17 Q18 Q19 Q20 Are the data being kept for no longer than is necessary to comply with relevant laws and regulations that define minimum periods of retention? (See the University s Data Protection Code of Practice) If data are being kept for periods longer than the legal minimum is there a good reason for doing so? Are files periodically weeded of irrelevant data? Is there a clear justification for the length of time the data are retained? Can it be confirmed that data are not being kept on a just in case basis? The data subject s rights (Sixth Principle)
8 Q21 Q22 Q23 Q24 Does the data subject know that their personal data are being processed? Does the data subject know why their personal data are being processed? Does the data subject know how their personal data are being processed? Has the data subject been informed of their rights of access? Appropriate security measures (Seventh Principle) Q25 Is the level of security adopted appropriate to the risks represented by the processing and the nature of the data to be protected? Consideration should be given to the measures taken to guard against theft, malicious damage or corruption (including computer viruses), unlawful access, accidental disclosure, loss and destruction. Particular consideration should be given to the security of sensitive data. Q26 Q27 Q28 Q29 Q30 Q31 Q32 Are there clear lines of responsibility for the processing operations? Are staff who deal with personal data aware of the purposes for which it has been collected? Are staff who deal with personal data aware of the parties to whom they can legitimately disclose the data? Are non-university personnel and students who handle personal data aware of their responsibilities and obligations under the Data Protection Act? Are non-university personnel and students who handle personal data adequately supervised? Where consultants/contractors have access to or process the data, is there a data protection statement in place in the contract setting out their obligations with regard to the security and use of data? e.g. Computer service engineers, mailing houses. Are appropriate measures in place for the secure disposal and/or destruction of personal data that are no longer required? (Please refer to the Data Protection Code of Practice for details of appropriate measures) Transferring personal data overseas (Eighth Principle) Q33 Where applicable, has the consent of the data subject been obtained to transfer personal data to countries outside the EEA which are not designated as adequate by the Information Commissioner? Other Legislative and Regulatory Requirements Q34 To the best of your knowledge has it been determined whether any other legal or regulatory conditions apply to the processing of the personal data?
9 Q35 Q36 Where such conditions apply please state the applicable legislation and/or regulations. Where such other conditions apply, are appropriate procedures and controls in place to ensure compliance? A No response to any of the above questions may indicate a failure to comply with the requirements of the Data Protection Act. All such responses should be discussed with the Data Owner and action agreed as necessary. If there is any doubt regarding the need for action or the type of action to be taken, the matter should be discussed with the Data Protection Officer. Any agreed actions should be noted on the audit form. The Data Protection Coordinator should confirm at a later date that all agreed actions have been undertaken. Upon completion of Parts A and B of the form the Data Protection Co-ordinator should sign the form as Auditor and then pass the form to the Head of Department for review and signature, before sending to the Data Protection Officer for recording centrally. The forms will be reviewed by the Data Protection Officer and any issues followed up with the Data Protection Co-ordinator where necessary. A copy of the form will be returned to the Data Protection Co-ordinator with an internal reference number added. 4. Reporting new processing or changes in processing During the period between each audit, any new processing should be notified to the Data Protection Officer using the standard Audit Form. New processing must clearly comply with the requirements of the Data Protection Act and must be notified to the Data Protection Officer before such processing is undertaken. Any changes to existing processing should be notified by signed memorandum to the Data Protection Officer indicating the nature of the change and quoting the internal reference number specified on the Audit Form.
11 (All parts must be completed - do not leave blanks. If something is not applicable, or if the information is not available or not known, please indicate this on the form) Department Sub Dept./Division Date Protection Audit Form Part A - Notification Ref. Data Collection Name Description Data Owner Position Contact details Locations of data Data Formats Computer Photograph Tissue Paper Video Other Microfiche Audio (please specify) Purpose Data Subjects S100 - Staff including volunteers, agents, temporary and casual workers S101 - Customers and Clients S102 - Suppliers S103 - Members or supporters S104 - Complainants, correspondents and enquirers S105 - Relatives, guardians and associates of the data subject S106 - Advisers, consultants and other professional experts S107 - Patients S108 - Students S109 - Offenders & suspected offenders Other - please specify Data Classes C200 - Personal details C208 - Religious or similar beliefs C201 - Family, lifestyle, social circumstances C209 - Trade union membership C202 - Education & training C203 - Employment details C204 - Financial details C205 - Goods or services provided C206 - Racial or ethnic origin C207 - Political opinions C210 - Physical or mental health or condition C211 - Sexual life C212 - Offences (including alleged offences) C213 - Criminal proceedings, outcomes, etc. Other Other
12 Data sources Data subject Third-party (please specify) Data Recipients R400 - Data subjects themselves R401 - Relatives, guardians or other persons associated with the Data subject R402 - Current, past or prospective employers of the Data subject R403 - Healthcare, social and welfare advisers or practitioners R404 - Education, training establishments and examining bodies R405 - Business associates and other professional advisers R406 - Employees and agents of the Data controller R407 - Other companies in the same group as the Data controller R408 - Suppliers, providers of goods or services R409 - Persons making an enquiry or complaint R410 - Financial organisations and advisers R411 - Credit reference agencies R412 - Debt collection and tracing agencies R413 - Survey and research organisations R414 - Traders in personal Data R415 - Trade, employer associations and professional bodies R416 - Police forces R417 - Private investigators R418 - Local government R419 - Central government R420 - Voluntary and charitable organisations R421 - Political organisations R422 - Religious organisations R423 - Ombudsmen and regulatory authorities R424 - The media R425 - Data processors Other - please specify Other - please specify Other - please specify Transfers Overseas None outside the EEA Worldwide Countries outside EEA (please name - if greater than 10 specify worldwide) Processing of data by third parties (please specify)
13 Data Protection Audit Form Part B - Compliance (All parts must be completed - do not leave blanks. If something is not applicable, or if the information is not available or not known, please indicate this on the form) Fair and lawful processing (First Principle) Ref. Yes No N/A Q1 Q2 Q3 Q4 Q5 Has the data subject been informed of the processing? Has the data subject been informed of the people or organisations their data may be passed onto? Has the data subject given their consent to the processing? If the data subject has not given their consent, can the processing be justified on the basis of necessity (see Schedules 2 and 3 of the Act in Appendix 6.3 of the Data Protection Code of Practice for definitions of necessary processing)? If the data collection includes sensitive data (data classes C206 -C213) has the data subject given their explicit consent to process such data? Lawful, clear and specific purposes (Second Principle) Q6 Q7 Q8 Is the processing of the data legal? (The legality of the processing must not be in question. For example, it is unlawful to use a person's National Insurance number as a personal identifier.) Has it been made clear to the data subject what the data will be used for? Have any 'non-obvious' uses of the data been made clear to the data subject, i.e. things that the data subject would not have realised you were doing from a general description of the processing? Adequate and minimum necessary data (Third Principle) Q9 Is there a clear reason for processing each item of data? Q10 Has it been verified that the same outcome could not be achieved, safely and effectively, with less data? Q11 Where information is collected on a form, does it indicate to the data subject that information which is essential and that which is voluntary to give? Q12 Is the information that is being processed adequate for the purpose? (For example, if information is collected with the intention of using it later to prove the identity of individuals, a first and last name may not be enough.) Q13 Is the information that is being processed no more than is necessary? (For example, in collecting information for identification purposes it may be excessive to request a person's last three addresses.) Accuracy of data (Fourth Principle) Q14 Have steps been taken to ensure the accuracy of the data? Q15 Is there a system of rolling reviews of data to keep the data up to date? (Note: if data is inaccurate or out of date it would not only breach the fourth Principle, but it could breach the third as well, because the data might not be adequate for the purpose.) Retention of data (Fifth Principle) Q16 Are the data being kept for no longer than is necessary to comply with relevant laws and regulations that define minimum periods of retention? (See the Data Protection Code of Practice) Q17 If data are being kept for periods longer than the legal minimum is there a good reason for doing so?
14 Yes No N/A Q18 Are files periodically 'weeded' of irrelevant data? Q19 Is there a clear justification for the length of time the data are retained? Q20 Can it be confirmed that data are not being kept on a 'just in case' basis? The data subject's rights (Sixth Principle) Q21 Does the data subject know that their personal data are being processed? Q22 Does the data subject know why their personal data are being processed? Q23 Does the data subject know how their personal data are being processed? Q24 Has the data subject been informed of their rights of access? Appropriate security measures (Seventh Principle) Q25 Is the level of security adopted appropriate to the risks represented by the processing and the nature of the data to be protected? (Consideration should be given to the measures taken to guard against theft, malicious damage or corruption (including computer viruses), unlawful access, accidental disclosure, loss and destruction. Q26 Are there clear lines of responsibility for the processing operations? Q27 Are staff who deal with personal data aware of the purposes for which it has been collected? Q28 Are staff who deal with personal data aware of the parties to whom they can legitimately disclose the data? Q29 Are non-university personnel and students who handle personal data aware of their responsibilities and obligations under the Data Protection Act? Q30 Are non-university personnel and students who handle personal data adequately supervised? Q31 Where consultants/contractors have access to or process the data, is there a data protection statement in place in the contract setting out their obligations with regard to the security and use of data? e.g. Computer service engineers, mailing houses. Q32 Are appropriate measures in place for the secure disposal and/or destruction of personal data that are no longer required? (Please refer to the Data Protection Code of Practice for details of appropriate measures) Transferring personal data overseas (Eighth Principle) Q33 Where applicable, has the consent of the data subject been obtained to transfer personal data to countries outside the EEA which are not designated as 'adequate' by the Information Commissioner? Other Legislative and Regulatory Requirements Q34 To the best of your knowledge has it been determined whether any other legal or regulatory conditions apply to the processing of the personal data? Q35 Where such conditions apply please state the applicable legislation and/or regulations. Q36 Where such other conditions apply, are appropriate procedures and controls in place to ensure compliance? Audited by: Authorised by: Date: Date:
15 APPENDIX B: Purposes P001 Staff administration Appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the data controller. P002 Advertising, marketing and public relations Advertising or marketing the data controller s own business, activity, goods or services and promoting public relations in connection with that business or activity or those goods or services. P003 Accounts and records Keeping accounts relating to any business or other activity carried on by the data controller, or deciding whether to accept any person as a customer or supplier, or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by him or to him in respect of those transactions, or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity. P004 Accounting and auditing The provision of accounting and related services; the provision of an audit where such an audit is required by statute. P005 Administration of justice Internal administration and management of courts of law or tribunals and discharge of court business. P006 Administration of membership records The administration of membership records. P007 Advertising marketing and public relations for others Public relations work, advertising and marketing, including host mailings for other organisations and list broking. P008 Assessment and collection of taxes and other revenue Assessment and collection of taxes, duties, levies and other revenue. You will be asked to indicate the type of tax or other revenue concerned. P009 Benefits, grants and loans administration The administration of welfare and other benefits. You will be asked to indicate the type(s) of benefit you are administering. P012 Consultancy and advisory services Giving advice or rendering professional services. The provision of services of an advisory, consultancy or intermediary nature. You will be asked to indicate the nature of the services which you provide. P014 Crime prevention and prosecution of offenders Crime prevention and detection and the apprehension and prosecution of offenders. This includes the use of most CCTV systems which are used for this purpose.
16 P015 Debt administration and factoring The tracing of consumer and commercial debtors and the collection on behalf of creditors. The purchasing of consumer or trade debts, including rentals and instalment credit payments, from business. P016 Education The provision of education or training as a primary function or as a business activity. P017 Fundraising Fundraising in support of the objectives of the data controller. P018 Health administration and services The provision and administration of patient care. P019 Information and databank administration Maintenance of information or databanks as a reference tool or general resource. This includes catalogues, lists, directories and bibliographic databases. P021 Journalism and media Processing by the data controller of any journalistic, literary or artistic material made or intended to be made available to the public or any section of the public. P022 Legal services The provision of legal services, including advising and acting on behalf of clients. P023 Licensing and registration The administration of licensing or maintenance of official registers. P024 Pastoral care The administration of pastoral care by a vicar or other minister of religion. P025 Pensions administration The administration of funded pensions or superannuation schemes. Data controllers using this purpose will usually be the trustees of pension funds. P027 Private investigation The provision on a commercial basis of investigatory services according to instruction given by clients. P028 Processing for not for profit organisations Establishing or maintaining membership of or support for a body or association which is not established or conducted for profit, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it. P029 Property management The management and administration of land, property and residential property and the estate management of other organisations.
17 P030 Provision of financial services and advice The provision of services as an intermediary in respect of any financial transactions including mortgage and insurance broking. P031 Realising the objectives of a charitable organisation or voluntary body The provision of goods and services in order to realise the objectives of the charity or voluntary body. P032 Research Research in any field, including market, health, lifestyle, scientific or technical research. You will be asked to indicate the nature of the research undertaken. P033 Trading/sharing in personal information The sale, hire, exchange or disclosure of personal data to third parties in return for goods / services / benefit.
19 APPENDIX C: Data Subjects S100 - Staff including volunteers, agents, temporary and casual workers S101 - Customers and clients S102 - Suppliers S103 - Members or supporters S104 - Complainants, correspondents and enquirers S105 - Relatives, guardians and associates of the data subject S106 - Advisers, consultants and other professional experts S107 - Patients S108 - Students and pupils S109 - Offenders and suspected offenders All of the above categories include current, past or prospective data subjects.
21 APPENDIX D: Data Classes C200 Personal details Included in this category are classes of data which identify the data subject and their personal characteristics. Examples are names, addresses, contact details, age, sex, date of birth, physical descriptions, identifiers issued by public bodies, eg NI number. C201 Family, lifestyle and social circumstances Included in this category are any matters relating to the family of the data subject and the data subject s lifestyle and social circumstances. Examples are details about current marriage and partnerships and marital history, details of family and other household members, habits, housing, travel details, leisure activities, membership of charitable or voluntary organisations. C202 Education and training details Included in this category are any matters which relate to the education and any professional training of the data subject. Examples are academic records, qualifications, skills, training records, professional expertise, student and pupil records. C203 Employment details Included in this category are any matters relating to the employment of the data subject. Examples are employment and career history, recruitment and termination details, attendance record, health and safety records, performance appraisals, training records, security records. C204 Financial details Included in this category are any matters relating to the financial affairs of the data subject. Examples are income, salary, assets and investments, payments, creditworthiness, loans, benefits, grants, insurance details, pension information. C205 Goods or services provided Included in this category are classes of data relating to goods and services which have been provided. Examples are details of the goods or services supplied, licences issued, agreements and contracts. C206 Racial or ethnic origin C207 Political opinions C208 Religious or other beliefs of a similar nature C209 Trade union membership C210 Physical or mental health or condition C211 Sexual Life C212 Offences (including alleged offences) C213 Criminal proceedings, outcomes and sentences
23 APPENDIX E: Recipients R400 R401 R402 R403 R404 R405 R406 R407 R408 R409 R410 R411 R412 R413 R414 R415 R416 R417 R418 R419 R420 R421 R422 R423 R424 R425 - Data subjects themselves - Relatives, guardians or other persons associated with the data subject - Current, past or prospective employers of the data subject - Healthcare, social and welfare advisers or practitioners - Education, training establishments and examining bodies - Business associates and other professional advisers - Employees and agents of the data controller - Other companies in the same group as the data controller - Suppliers, providers of goods or services - Persons making an enquiry or complaint - Financial organisations and advisers - Credit reference agencies - Debt collection and tracing agencies - Survey and research organisations - Traders in personal data - Trade, employer associations and professional bodies - Police forces - Private investigators - Local government - Central government - Voluntary and charitable organisations - Political organisations - Religious organisations - Ombudsmen and regulatory authorities - The media - Data processors
Data protection registration: nature of work descriptions Finance, insurance and credit We use these descriptions to help us process your registration: Accountant Actuaries Agents for the NFU mutual Bank
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
Data Protection Important information Changes to the notification fee structure came into effect on 1 October 2009 and the 35 flat fee no longer applies. Further information can be found at www.ico.gov.uk
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection
Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,
Data Protection Policy Introduction This policy sets out the framework for a consistent SDS wide approach to handling information relating to identifiable individuals (Personal Data). Skills Development
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and
Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data
London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6
WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...
How We Use Personal Data Introduction This document explains how Thames Valley Police obtains, holds, uses and discloses information about people (their personal data 1 ), the steps we take to ensure that
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the
INFORMATION PRIVACY STATEMENT Victoria Police is bound by the Privacy and Data Protection Act 2014 in how it manages personal information. Victoria Police is committed to protecting the personal information
Data Protection Procedure [QP2.28] Procedure Number: QP2.28 Revision Number: 3 Date of issue: January 2006 Status: Approved Date of approval: May 2006 Responsibility for procedure: Director of Information
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
Trafford Council Data Protection Policy, Statement and Guidance for Employees Author Nick Evans Date August 2009 Status Final Version 1.3 Review Date October 2015 Review By Kathryn Wright Next Review October
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
DATA PROTECTION ACT POLICY Personal data shall be obtained, maintained, stored, used and passed on only in strict accordance with the Act 1998. KIDS is registered according to the Data Protection Act 1998
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
East Northamptonshire Council Policy & Community Development Data Protection Policy December 2007 If you would like to receive this publication in an alternative format (large print, tape format or other
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
University of Essex And Essex Police INFORMATION SHARING AGREEMENT September 2011 Version Published 1 1. INTRODUCTION 2. PURPOSE AND SCOPE OF THIS AGREEMENT 3. BENEFITS OF SHARING THIS INFORMATION 4. AGREEMENT
Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information
MODEL DECLARATION FORM A Guidance for applicants The position you have applied for is exempt from the Rehabilitation of Offenders Act 1974 (as amended in England and Wales). When South Central Ambulance
Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data
Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection
This guidance recognises that schools already deal with a great variety and number of requests for information and provides a straightforward approach to compliance with the following legislation: Education
PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner
Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose
John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
Policy Procedure Data Protection Act 1998 New policy number: 351 Old instruction number: MAN:A030:a2 Issue date: 20 April 2004 Reviewed as current: 16 January 2015 Owner: Head of Information and Communications
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
A Thorogood Special Briefing Chapter 1 Introduction and guidance for employers Introduction Subject access request Compliance Changing law The Employment Practices Code Personal data Making access requests
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
Data Protection Good Practice Note This explanatory document explains what charities and voluntary organisations need to do to comply with the Data Protection Act 1988 as amended by the Data Protection
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
Data Protection Act 1998 Codes of Practice The Employment Practices Data Protection Code CONTENTS CONTENTS... 1 Who is the Code for?... 3 Why should you use it?... 3 Other parts of the Code... 3 Five sections...
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data
Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
PRIVACY AND CREDIT REPORTING POLICY 12 March 2014 CONTENTS What is personal information?...3 Information we may collect, use and disclose about you...4 Collection of sensitive information...6 How personal
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information
Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school
Newcastle Safeguarding Children Board Multi-agency information sharing agreement March 2016 Introduction Newcastle Safeguarding Children Board (NSCB) is the strategic body for promoting and safeguarding
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 email@example.com Graham Hann Partner +44 (0)20 7300 4839 firstname.lastname@example.org Chris Jeffery Partner +44
1 Data Protection in the Charity & Voluntary Sector Guidelines April 2011.Version 5.0 Office of the Data Protection Commissioner 2 CONTENTS Page INTRODUCTION 3 1. Key Recommendations 4 2. Donor Databases
Hong Leong Asia Ltd. Personal Data Protection Policy The protection of your Personal Data is important to us. This Personal Data Protection Policy ( PDP Policy ) outlines how we manage your personal data,
DATA PROTECTION POLICY DATA PROTECTION POLICY Reviewed and Adopted April 2016 Signed...COG...HEAD Next review April 2018 Data Protection Policy AIMS This policy sets out the Council s commitment to the
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
The Manchester College The Manchester College Produced by TMC Prin DataProtect pol v1 11/2010 All rights reserved; no part of this publication may be photocopied, recorded or otherwise reproduced, stored
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
Information Handling Policy 10 December 2015 Information Handling Policy 1. Who We Are 1.1 In this Information Handling Policy, references to we, our, us and ClearView are to ClearView Wealth Limited and