Corporate Data Protection Policy

Transcription

1 Corporate Data Protection Policy September 2010 Records Management Policy RMP-09 GOLDEN RULE When you think about Data Protection remember that we are all data subjects. Think about how appropriately and securely you would like your personal details to be handled and then manage the personal details of others in the same way. Point of Contact for this Policy Name: David Taylor Title: Senior Information Governance Officer Telephone: Status FINAL Version 1.0

2 Foreword Brian Hoare Leader of the Council As more of our information is held on computers it is reassuring for our customers to know that Data Protection legislation is in place to protect the information we hold to prevent misuse. The legislation is our customers assurance that the information we need from them to provide services is collected wisely, used appropriately and destroyed securely. It also gives them the right to see the information held and to amend it if it s wrong. This policy supports the legislation and helps us all to keep the requirements for handling personal data foremost in our thoughts as we work. The citizens of Northampton expect their Council to manage the information they give us as though it were our own. This is the standard that we must strive to achieve and these policies aim to help that process. David Kennedy Chief Executive Northampton Borough Council is fully committed to comply with the requirements of the Data Protection Act This Council will therefore follow procedures which aim to ensure that all employees, elected members, contractors, agents, partners and other employees of the Council who have access to any personal data held by or on behalf of this Council are fully aware of, and abide by their duties under the Data Protection Act The Council fully endorses and adheres to the principles as set out in the Data Protection Act Status: FINAL V1.0

3 Contents Page Front Cover 1 Foreword Leader of the Council 2 Preface Chief Executive 2 Contents 3 Introduction 5 Compliance 5 The 8 Data Protection Principles 6 Personal Information Promise 6 Personal and Sensitive Personal Data 7 Policy Scope 7 POLICY STATEMENTS Section 1 Collecting personal data 1 Data Collection 8 2 Privacy Notice & Informed Consent 8 3 Safeguards 8 Section 2 Holding personal data 4 Legal Requirements 9 5 Information Security 9 6 Safe Haven 9 7 Confidentiality 10 8 Free Text 10 Section 3 Processing personal data 9 Privacy Impact Assessment Toolkit Processing (using) data Disclosing data Home Working 12 Section 4 Data Subject rights 13 Rights of Data Subjects Exemptions to the non disclosure provisions 13 Status: FINAL V1.0

4 Section 5 Data Management 15 Updating data Data Retention Data Destruction 14 Section 6 Information Sharing Framework Code of Practice on Information Sharing 14 Data matching 15 Data Transmission 15 Section 6 Non Compliance 17 Breaches Consequences of Non Compliance Criminal Offences 17 Section 7 DPO duties & responsibilities 20 The Data Protection Officer The notification process Complaints & Investigations Training Review 20 Section 8 Further Information Compliance Related legislation 21 Links to other associated legislation 21 References 21 Definitions 21 Contacts 22 GOLDEN RULES 23 Personal Information Promise Scroll 24 TH!NK Privacy back cover 26 Status: FINAL V1.0

5 Introduction DP Policy statements Northampton Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act 1998 ( the Act ), which came into force on the 1 st March Obligations and responsibilities under the Data Protection Act 1998 are not optional; they are mandatory. There can be harsh penalties (up to 500,000) imposed for noncompliance. The Council will therefore follow procedures that aim to ensure that all staff, elected members, contractors, agents, consultants, partners or any other person working for the Council who have access to any personal data held by or on behalf of the Council is fully aware of, and abides by their duties and responsibilities under the Act. All individuals permitted to access personal data in line with their work duties must agree to comply with this policy and agree to undertake any relevant training that may be appropriate to the job / position being undertaken. Some departments may also require you to sign a further undertaking relating to the systems or information you will use. As well as the Council, any individual who knowingly or recklessly processes data without appropriate consent or proper authorisation for purposes other than those for which it is intended or is deliberately acting outside of their recognized responsibilities may be subject to the Council's disciplinary procedures, including dismissal where appropriate, and possible legal action liable to prosecution and, from 1 st April 2010, possible criminal conviction under the Criminal Justice and Immigration Act Compliance In order to operate efficiently, the Council has to collect and use personal data about people with whom it works. This may include members of the public, current, past and prospective staff, clients, customers, contractors, partners and suppliers. In addition, the Council may be required to collect and use personal data in order to comply with its statutory obligations. This personal data must be handled and dealt with in accordance with the Act and this policy. There are safeguards within the Act to ensure personal information is collected, recorded and used whether it is on paper, computer records or recorded by any other means. The obligations outlined in this policy apply to everyone listed above who has access to, holds copies of or processes personal data. This includes those who work at / from home or have remote or flexible patterns of working. Directors, Service Heads and Managers have immediate responsibility and accountability for data protection matters in their own areas of work including: development, implementation and review of departmental Data Protection Procedures that support this policy. ensuring compliance with Information Governance policies and standards established by the Council and their service. ensuring that new information systems in their work area are designed to comply with this policy (tested against the Privacy Impact Assessment toolkit). notifying the Senior Information Governance Officer of the development of any new systems in their area of work that utilize personal data. Status: FINAL V1.0

6 DP Policy statements Staff and Elected Members (including consultants, contract, temporary, part time and agency staff) will have immediate responsibility to; work in a manner which will ensure the security and good management of all personal information they have access to, and proactively alert management to suspected poor data protection practices The 8 Data Protection Principles The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles summarised below are fully defined in schedule 1 of the Act and are legally enforceable. They must be followed by all data processors at all times The Principles require that personal information is 1. Processed fairly and lawfully 2. Obtained for specified and lawful purposes 3. Adequate, relevant and not excessive 4. Accurate and kept up to date 5. Not kept for longer than necessary 6. Processed in accordance with the rights of data subjects 7. Kept secure 8. Not transferred outside of the European Economic Area Data Protection Promise going further than the letter of the law In addition to meeting its legal obligations to safeguard personal data, this Council endeavours to go further than the letter of the law. To demonstrate this commitment to Data Protection the Council s Management Board have agreed to work in a way that wherever possible and practical supports the Information Commissioner s Personal Information Promise. Accordingly we promise that we will: 1. value the personal information entrusted to us and make sure we respect that trust; 2. go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards; 3. consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems; 4. be open with individuals about how we use their information and who we give it to; 5. make it easy for individuals to access and correct their personal information; 6. keep personal information to the minimum necessary and delete it when we no longer need it; 7. have effective safeguards in place to make sure personal information is kept securely and does not fall into the wrong hands; 8. provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don t look after personal information properly; Status FINAL V1.0

7 DP Policy statements 9. put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises; and 10. regularly check that we are living up to our promises and report on how we are doing. Personal & Sensitive Personal Data The Act provides conditions for the collection and processing of any personal data. It also makes a distinction between personal data and sensitive personal data. Personal data is defined as, data relating to a living individual who can be identified from: that data; that data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual. Sensitive personal data is defined as personal data consisting of information as to: racial or ethnic origin; political opinion; religious or other beliefs; trade union membership; physical or mental health or condition; sexual life; criminal proceedings or convictions. Although there are clear distinctions between personal and sensitive personal data for the purposes of this policy the term personal data refers equally to sensitive personal data unless otherwise stated. Policy Scope The Data Protection Act 1998, the 8 Data Protection Principles and the 10 Personal Information Promises form the framework and reference points for the following policy statements. Complying with them all demonstrates the Council s commitment to managing all personal data to the very highest standards at all times. This policy has been approved at Cabinet level. Compliance with all aspects of the policy is mandatory. The policy is divided into linked sections for ease of reference. It follows the natural process of data collection, validating, processing, retaining, sharing and destroying data. Guidance notes supporting each section and giving detailed compliance advice are available to assist individuals and departments comply with their duties and obligations. This policy is part of a series of interlinked policies relating to Records Management, Information Governance and Access to Information Requests. Status FINAL V1.0

8 DP Policy statements Section 1 Collecting personal data 1 Data Collection GOLDEN RULE The Council will only collect the absolute minimum amount of personal data required to conduct its business. Departments will maintain policies that ensure the personal information that they collect and hold is kept up-to-date and is never more than 6 years old within an active file. 2 Privacy Notice & Informed Consent GOLDEN RULE Privacy statements, (previously Fair Processing Notices), must be included when collecting any personal data. They must include or reference the following: be written in the same font, size and layout as the rest of the publication. be written in plain English. state why the personal data is required and how it will be used. if necessary identify who can access it and who it may be shared with. say how long it will be retained and how it will be destroyed. As a minimum the following statement should be used. Example privacy notice Northampton Borough Council is registered with the Information Commissioners Office under the Data Protection Act 1998 to collect, hold and use personal and sensitive personal information under registration number Z Details of the Council s current stated uses of personal information is available from the Information Commissioners website A copy of the Council s Data Protection Policy is available upon request or on the Council s website In addition, if sensitive personal data is to be collected explicit consent must be obtained either in advance or at the time of collection. In this context explicit consent means the Council must obtain signed consent or if collecting electronically the individual must physically change a default button from no to yes (I agree). 3 Safeguards The Council will ensure appropriate physical and electronic safeguards are in place to protect all the personal information in its care. Where necessary additional provisions, safeguards and controls will be employed to ensure sensitive personal information can only be accessed by authorised personnel. Status: FINAL V1.0

9 DP Policy statements Section 2 Holding personal data Records management has close links with other strategies and policies relating to Information Governance, Information Technology, Risk Management, Continuity, security, and data quality and validation. It is necessary that policies and procedures relating to all such activities should be consistent. 4 Legal requirements Legislation such as the Data Protection Act 1998 and the Freedom of Information Act 2000 has placed an increased obligation on the Council to manage its data (information), whether paper or electronic, according to defined guidelines and standards. Both the Acts require the Council to be able to identify, locate and account for the disposal of documents, and to have published and implemented policies in relation to the disposal of records. 5 Information Security The Council undertakes to have in place a level of information security appropriate to the nature of the data and the harm that might result from a breach of security. There are three key points we need to understand and have clearly in mind when thinking about information security. a) Information exists in many forms; printed or written on paper, stored electronically, transmitted by post or electronic means, shown on films or spoken in conversation. Be aware of the information around you and in your care at all times. Treat others information as though it were your own. b) Information security management is a combination of management and technological process. It is your responsibility to manage personal data in a compliant way using the most appropriate compliant process. This will normally be by ensuring your working practices follow written working procedures for your area in both the physical and electronic environment. c) We all have a part to play in making sure that our information assets are safe. You are responsible for the security of the information you work with. Managers are responsible for ensuring you are able to manage information securely. 6 Safe Haven This policy introduces the term Safe Haven to the Council. This is a universally recognised term that describes the administrative arrangements adopted for safeguarding the receipt, holding and transfer of personally identifiable and other confidential information. Status: FINAL V1.0

10 DP Policy statements It covers issues such as clear desk policy, as well as the secure transmission / receipt and safe retention of data. In effect, a Safe Haven is anywhere in the Council where confidential information can be held and communicated in a safe and secure environment. 7 Confidentiality Personal data is often provided to the Council in confidence. This confidential information is arguably the most valuable information business asset the Council holds. Staff automatically have duties to ensure that confidential information is not knowingly or recklessly misused. Staff should only access systems and records containing confidential information that are relevant to their work /duties. Therefore, where appropriate, signed declarations of confidentiality should be employed. GOLDEN RULE Treat all personal information as provided in confidence unless otherwise advised. Those who use the Council s computer equipment will only have access to the data that is both necessary for the work they are doing and held for the purpose of carrying out that work. Do not try to access personal information you should not have access to. If you find others misusing personal data report the issue, in confidence to the Data Protection Officer if necessary. Manual files (paper records) - access must be restricted solely to relevant staff and stored in secure locations (e.g. lockable cabinets), to prevent unauthorized access. Data users and processors must comply with the Council s Information Security Policy. Preventing abuse and discrimination. The Council processes sensitive personal data on staff and services users. The Council will have regard to its various diversity policies to ensure that if instances of abuse or discrimination occur, appropriate action is taken. NB. Additional safeguards must be adopted when sensitive personal data is involved. 8 Free Text Free text is, for the purposes of this policy, the area within a case file or electronic case system where details are recorded about interactions with the individual (customer). If requested the customer would be provided with the information contained therein. Status FINAL V1.0

11 DP Policy statements However, this free text guidance can equally be applied to s, internal memos and phone messages. Therefore care must be taken to only record factual information about individuals. Do not record opinions or anything else that cannot be substantiated. Remember data subjects have the right to request copies of the information the Council holds about them, including notes you have written onto their case file. What you write is likely to be disclosed if requested. GOLDEN RULE The golden rule of free text is to consider if you would be happy for someone else to write about you what you have written about them. Free text Do s Keep text brief. No essays. Record facts. Only write what can be substantiated. Link to evidence where necessary. Don t Do not use full names except for the data subject s, use initials. Do not include personal thoughts. Do not record comments that in hindsight you would retract / can t substantiate Section 3 Processing personal data What is processing? Any activity / operation performed on personal data - whether held electronically or manually, such as obtaining, recording, holding, disseminating or making available the data, or carrying out any operation on the data. It is difficult to envisage any activity that does not amount to processing but includes, organising, adapting, amending, processing, retrieving, consultation, disclosure, erasure or destruction of the data. Where a 3 rd party processes data on the council s behalf, the 3 rd party will be required to act in a manner which ensures compliance with the Act and this policy and have adequate safeguards in place to protect the personal data. Status FINAL V1.0

12 DP Policy statements 9 Privacy Impact Assessment Toolkit In response to the Data Sharing Review Report (11 th July 2008, Richard Thomas and Mark Walport) the Council will use a Privacy Impact Assessment (PIA) toolkit to evaluate all new computer systems to help it determine how data protection compliance can be assured. In addition all existing systems will be subject to periodic assessment. PIA toolkits provide a step-by-step approach to evaluate and test proposed, new or existing information systems for compliance with the legislation. The PIA process helps to identify weaknesses or risks to data losses or breaches and consider action that needs to be taken to ensure compliance where such compliance is not yet achieved. PIA applies equally to paper as well as electronic data holding systems. 10 Processing (using) data In line with the first data protection principle, all information will be collected fairly and lawfully and processed in line with the purpose for which it has been collected. GOLDEN RULE Without exception, information must not be used for any additional purposes without the consent of the data subject. 11 Disclosing data Personal data must only be disclosed to the data subject (the individual) and other organisations and persons who are pre-defined as notified recipients within the Council's Data Protection Notification. At certain times it may be required that personal data provided in confidence can be disclosed under one of the exemptions within the Act (see section 14 and guidance note 4 for more details). In both cases requests for such information must be passed to Information Governance who will keep an audit trail of all such disclosures. GOLDEN RULE Never disclose personal data without authorisation. It may be a disciplinary offence. 12 Home working Working from home presents some complex security issues. Accessing the Council s network from home is covered by ICT policies and procedures. Do not try and bypass these securities, particularly by copying files from work drives to local drives (your home PC). Personal data must not be stored on any device (including removable media such as USB sticks) that do not have corporately approved encryption. Taking home paper or electronic files creates a risk of loss. It also means the files are not accessible to other members of staff. Controls in the office must include a signed log when you are removing and returning files. Managers must authorise the removal of any files from the office containing personal information. Status FINAL V1.0

13 Section 4 Data Subject rights 13 Rights of Data Subjects DP Policy statements There are 6 basic rights that the data subject can exercise against the data controller Section 7 - Right of access for data subject This right is called Data Subject Access Request. The Council applies the statutory maximum charge (currently 10) when individual s make a request, with possible additional disbursement charges for copying and postage. Guidance note 4 fully defines the request process and includes a flowchart. There are 5 other rights, most of which follow on from a subject access request. Section 10 - Right to prevent certain processing of data Section 11 - Right to prevent processing for direct marketing Section 12 - Rights in relation to automatic decision taking Section 13 - Rights of compensation in certain circumstances Section 14 - Right to rectification, blocking, erasure or destruction of data Any request to take action against one or more of these rights must be passed immediately to Information Governance. 14 Exemptions to the non-disclosure provisions This section is in two parts. Part A relates to information that may be exempt from disclosure following a subject access request and part B relates to information that can be disclosed without the individual s consent, such as section 29 or 35 (see guidance note 4). Part A Under the Act there are some instances where personal information held about an individual is exempt from section 7 right (to be provided with a copy of all information held). The Council will review all such exemptions with a view to disclosing as much as is possible without causing harm. These include, but not limited to; Exam results Medical reports Confidential references Part B There are several prescribed exemptions to the non-disclosure provisions within the DPA. The main ones are summarised below. All such disclosures are either managed or authorised by Information Governance to ensure that they are legally permissible and recorded. NB. It should be noted that the Act does not place a requirement on the Council to provide this information. It is for requesting organisations to put forward a strong case. Status: FINAL V1.0

14 Section 5 Data Management 15 Updating Data DP Policy statements Personal data must only be kept on active files for a maximum of 6 years without being refreshed. If, when collected, we stated how long the data would be held for, there must be processes in place to ensure the information is securely destroyed at the end of this period. Examples include records of disciplinary action, consultation responses and monitoring data. Departments must have in place procedures to ensure personal information (such as contact details) is updated regularly. Some departments such as Personnel will do this every other year; others will do it as a rolling process such as Housing Tenancy and Planning while some will just note the date the details were put onto the system such as Council Tax. There is no requirement to update personal data on closed files such as ex-tenant files. 16 Data retention Principle 5 reminds us to only keep personal information for as long as is necessary. How long information needs to be kept will depend on what the information is used for and to some extent the business need. Your departmental Retention Schedule will contain details of how long specific record types should be kept for. Information Governance can also advise on how long information should be kept. 17 Data destruction All personal, sensitive personal, confidential and financial information held by the Council will be destroyed securely. Disposal of personal information will be part of a managed process, which will be fully documented within each directorate. Each directorate will have in place clearly defined arrangements and procedures for the selection of information ready for disposal, in accordance with local retention guidelines. Destruction of information will be carried out following relevant procedures and may be subject to periodic checks by either Internal Audit or Information Governance. Section 6 Information Sharing 18 Framework Code of Practice on Information Sharing In 2007 the Information Commissioners Office issued a Framework Code of Practice for sharing personal information. The aim of the code is to help organisations adopt good practice when sharing information and comply with the Act. Status: FINAL V1.0

15 DP Policy statements The Council has signed up to the Northamptonshire Partnership Information Sharing Statement, which is available as part of the procedure and guidance documents linked to this policy. The Council actively encourages the use of Information Sharing Agreements between organisations. This approach ensures that information is shared legally, responsibly and appropriately. Information Sharing Agreements must be signed off and recorded centrally by the Data Protection Officer before they become active. 19 Data Matching The Council is required by law to provide personal information data sets periodically to the Audit Commission to assist nationally with the prevention and detection of fraud. The data matching exercises are conducted as part of the National Fraud Initiative (NFI). Details of each exercise and the data sets required is available on the Audit Commission s website. The Council supports data matching, provides all information required for each exercise and follows the relevant codes of practice to ensure the information is transmitted and processed securely at all times. 20 Data Transmission The greatest single risk to the security of data is during transmission. Every time data is moved a risk of loss, theft or breach is created. Specific detailed departmental policies should be used to ensure that during the transmission process information security is not compromised. Areas of risk include, File movement, (particularly out of office file movement such as court attendance, home working or office move). Home working. Particular risks include the storage of data on removable drives such as USB sticks, the holding of data on a laptops and taking files home. , is often overlooked as a transmission risk. Standard is not a secure way to send personal information. Consider file encryption or secure such as GCSX. Post. Signed for does not make the postage any more secure, though it does give assurance that someone at the other end has received the information. Courier, particularly same day door-to-door, is about the most secure way to post. Advice on how to identify and mitigating these risks is contained in DP Guidance note 6. Status FINAL V1.0

16 DP Policy statements Section 6 Non Compliance 21 Breaches The Council is required to proactively report significant data breaches to the Information Commission. To do this, anyone who suspects or finds that a data breach, data loss or theft has occurred should inform the Data Protection Officer at the earliest opportunity, preferably on the same day. Types of suspected data breaches include, but are not restricted to: Accidental disclosure of personal data to another person or organisation Inappropriate access to or use of personal data The theft of personal information, either paper based or electronic Accidental loss of personal data Information that has not arrived at its destination Fraudulent acquisition of personal data (Blaggers) The Data Protection Officer must investigate the suspected data loss at the earliest opportunity and in any event within 3 working days of the breach being notified in writing to the Data Protection Officer. Where appropriate, particularly in respect of theft, the police should also be notified. If the Data Protection Officer considers it necessary after concluding the investigation and consulting with the Monitoring Officer and / or the Chief Executive a report shall be submitted to the Information Commissioners Office within 5 Working Days of the breach occurring. Where a breach is shown to have originated from a member of staff it will be dealt with in accordance with the Council s procedure for dealing with poor performance and misconduct. Managers will need to decide what action is appropriate based on the circumstances and may wish to seek advice from Human Resources, the Data Protection Officer and if necessary Legal Services, (particularly in the case of criminal offences). 22 Consequences of Non Compliance The Information Commissioner has the power to conduct audits to assess whether an organisation s processing of personal data follows good practice. Following such an audit the Information Commissioner has the power to issue the following notices. Information Notice Would require the Council to provide certain information within set time limits. Failure to comply with an Information Notice, or deliberately providing false information is a criminal offence. Status: FINAL V1.0

17 DP Policy statements Undertaking The Commissioner may decide that system and / or practices could be improved by requiring the organisation to agree to a number of recommendations. By issuing an undertaking the organisation would be on probation and obliged to action the undertaking. Decision Notice If the Information Commissioner decides that there had been a breach of the Act he may serve the Council with a Decision Notice. This could be, for example, failure to comply with an undertaking or following investigation he finds the Council has mishandled personal data. A Decision Notice is a public notice and is often said to name and shame organisations that have failed to uphold the principles of the Act. Enforcement Notice If the Information Commissioner decides that there had been a serious or significant breach of the Act, he may serve the Council with an Enforcement Notice. This may force the Council to cease processing data in a particular way or cease processing personal data. Failure to comply with an enforcement notice is a criminal offence. The implications of these notices means that compliance with this policy, together with the Act and supporting guidance issued by the Information Commissioner cannot be under estimated. It is therefore mandatory to comply. 23 Criminal Offences The Information Commissioner has the power to prosecute those (personally and corporately) who commit criminal offences under section 55 of the Act. Other legislation, such as the Criminal Justice and Immigration Act 2008, allows the Commissioner to impose fines of up to 500,000 for serious and / or persistent breaches of the Act. A full list of offences can be found on pages of the Information Commissioners legal guidance on Data Protection available via the following link: In addition, in relation to computer processed information, the following are offences under the Computer Misuse Act 1990: Unauthorised access to computer Unauthorised modification to contents of computer, and Unauthorised access with intent to commit / facilitate the commission of further offences GOLDEN RULE You must notify the Data Protection Officer immediately if you identify or suspect any offence. You may also want to consider raising the issue through the Council s Whistle Blowing procedure. Status FINAL V1.0

18 DP Policy statements Section 7 DPO duties & responsibilities 24 The Data Protection Officer The Council nominates the Senior Information Governance Officer to be the Council s Data Protection Officer who s duties are to a) ensure the Council s Data Protection Notification accurately reflects the activities of the Council and is renewed each year (see policy statement 21). b) maintain the Data Protection Policy and related guidance by ensuring it reflects current legislation and best practice. c) provide advice, guidance and assistance to staff, elected members, contractors, agents, partners or consultants who have access to any personal information held by or on behalf of the Council in the practical application of the legislation and policies. d) provide initial and refresher training to ensure all data handlers and processors understand, and continue to understand, their responsibilities with regard to data protection matters. e) investigate data breaches, losses, inappropriate use or thefts and where necessary report such incidents to the Information Commissioner. f) record and manage all requests for access to personal information including subject access and section 29 & 35 requests. g) keep a log of electronic and manual databases and to review their use periodically for compliance. h) provide or identify Privacy Impact Assessment tools for officers to assess new systems to ensure compliance with privacy legislation. i) regularly review the continued appropriateness of all data sharing agreements that are in place. In order to assist the Data Protection Officer, Council staff must inform the Data Protection Officer if: - Any department creates a new database, or relevant manual filing system; or plans to purchase or use a third party database to hold personal information, or Any unexpected data loss or any potential security breaches are identified, 25 The Notification Process The Council maintains, and will continue to maintain, regular Notification of its data activities to the Information Commissioner. Its registration number for such purposes is Z It is the responsibility of the Council s Data Protection Officer to ensure the Council regularly reviews its Notification to ensure that it reflects the use of personal information within the authority and, Status: FINAL V1.0

19 DP Policy statements promptly (within 28 days) updates notified changes to the Council s Data Protection Notification with the Information Commissioners Office. renews its annual Data Protection Notification notice on or before the last day of February each year If personal information is no longer needed for an activity, information is to be used for a new activity, or changes are made to the way personal information is used in an existing activity, it may mean that a Notification amendment is needed. To enable this process to begin you will need to supply the following information in writing to the Data Protection Officer: why (for what purpose) is personal information being processed? who is it about (the type of Data Subject)? what personal information (Data Classes) is being held? who has it come from and who does it go to? is information to be sent abroad, and if so where to? It is your responsibility to ensure changes to the way you collect, hold or process information is reported to the Data Protection Officer. Only after you have supplied written notification of changes can the notification be reviewed and amended if required. You are breaking the law if you knowingly process information in contravention of the Council s Notification. Golden Rule Under no circumstances can personal information be used for a new or amended purpose until the Council s Notification has been checked and amended if required. 26 Complaints & Investigations Everyone should expect the Council to hold, process and destroy personal data in a safe and secure environment. Occasionally individuals may have cause for concern that their personal information has not been managed as they would expect and have the right to complain. All such complaints will be investigated by the Data Protection Officer in the first instance using the Council s Information Challenge procedure. 27 Training Data Protection training is a crucial element of staff awareness. Staff, both permanent and temporary, need to be aware of their obligations relating to all personal data they process as part of their Council duties. Failure to adhere to the eight data protection principles can lead to possible disciplinary action and prosecution. Status FINAL V1.0

20 DP Policy statements It is the Council's Policy that all staff who hold or process personal data receive the appropriate training in order to comply with the Data Protection Act Basic data protection training is provided to staff via the induction process. Additional training will be provided for all who have access to personal information to ensure that they know how to: Identify personal data Ensure personal data is kept securely Further in-depth data protection training is provided for all staff whose main function is to process personal information. [For further details of training please contact Human Resources]. In addition staff are expected to read this Data Protection Policy. 28 Policy Review That there should be a regular annual review of this Policy, its working in practice and all related advice and guidance. The review will include tests on the continuing appropriateness of the safeguards and controls already in place. In addition, changes to legislation, national guidance, codes of practice or commissioner advice will trigger mini compliance and policy reviews. GOLDEN RULE When you think about Data Protection remember that we are all data subjects. Think about how appropriately and securely you would like your personal details to be handled and then manage the personal details of others in the same way. Status FINAL V1.0

21 Section 8 Further information Guidance Compliance - Related Legislation Copyright, Designs and Patents Act 1988 Children Act 1989 Computer Misuse Act 1990 Freedom of Information Act 2000 The Environmental Information Regulations 2004 Disability Discrimination Act 1995 Disability Discrimination Act 2005 Links to other associated legislation Defamation Act 1996 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Civil Contingencies Act 2004 The Re-Use of Public Sector Information Regulations 2005 Criminal Justice and Immigration Act 2008 References Data Sharing Review Report - Richard Thomas and Dr Mark Walport, 11 th July 2008 Framework Code of Practice for sharing personal information Legal guidance on Data Protection Definitions Data > Any information automatically processed or going to be automatically processed. This includes information contained within structured and unstructured manual files. Data Controller > Person (i.e. natural person or legal body such as a business or public authority). Decides manner in which, and purpose for which, personal data are processed. In our case this is the Council, not an individual. Data Protection Officer > The person appointed by the Data Controller (the Council) to manage Data Protection compliance, advice and training within an organisation. Status: FINAL V1.0

22 Personal Data > Information relating to a living identifiable individual. Data Subject > An individual who is the subject of the personal data/information. Data Processor > A person who processes of behalf of the data controller under. Golden Rule > No legal definition. Included to highlight important and significant points. Information Commissioner > An independent Officer appointed by Her Majesty the Queen and who reports directly to Parliament. Processing > Any activity/operation performed on personal data - whether held electronically or manually, such as obtaining, recording, holding, disseminating or making available the data, or carrying out any operation on the data. This includes, organising, adapting, amending and processing the data, retrieval, consultation, disclosure, erasure or destruction of the data. It is difficult to envisage any activity, which does not amount to processing. Sensitive Personal Data > Information relating to an individuals race/ethnic origin, their political opinions, religion, trade union membership, health, sexual life, criminal or alleged offences. Requires explicit consent to collect and hold this information. 3 rd Party > A person or organisation who s personal information is within another persons. Contact details David Taylor Senior Information Governance Officer (Freedom of Information and Data Protection Officer) Borough Solicitor's Department The Guildhall Northampton, NN1 1DE Telephone: Fax: djtaylor@northampton.gov.uk The Information Commissioner's Office Wycliffe House Water Lane Wilmslow, SK9 5AF Tel: Website: Status FINAL V1.0

23 THE GOLDEN RULES The Council will only collect the absolute minimum amount of personal data required to conduct its business. Privacy statements, (previously Fair Processing Notices), must be included when collecting any personal data. Treat all personal information as provided in confidence unless otherwise advised. The golden rule of free text is to consider if you would be happy for someone else to write about you what you have written about them. Without exception, information must not be used for any additional purposes without the consent of the data subject. Never disclose personal data without authorisation. It may be a disciplinary offence. You must notify the Data Protection Officer immediately if you identify or suspect any offence. You may also want to consider raising the issue through the Council s Whistle Blowing policy. Under no circumstances can personal information be used for a new or amended purpose until the Council s Notification has been checked and amended if required. When you think about Data Protection remember that we are all data subjects. Think about how appropriately and securely you would like your personal details to be handled and then manage the personal details of others in the same way. TH!NK PRIVACY Status: FINAL V1.0

24 Status FINAL V1.0

25 Status FINAL V1.0

26 Status: FINAL V1.0