Access to Information: Data Protection and Freedom of Information
|
|
- Dale Golden
- 7 years ago
- Views:
Transcription
1 Access to Information: Data Protection and Freedom of Information Records Management Section Data protection: key concepts Personal data Sensitive personal data Data subjects Data protection principles 1
2 Personal data Day-to-day definition: Any information about an identifiable, living individual, regardless of the format, e.g.: CCTV footage Computer data Paper files Disorganised notes Detailed definition: Sensitive personal data Racial or ethnic origins Political opinions Religious beliefs Trade union membership Physical or mental health Sex life Commission, or alleged commission, of any offence Proceedings for any offence and outcomes 2
3 Data subjects An individual who is the subject of personal data. E.g.: Students Applicants Staff Research participants Customers Data protection principles 1. Fair and lawful processing 2. No incompatible processing 3. Adequate, relevant and not excessive data 4. Accurate and up-to-date data 5. Data kept for no longer than necessary 6. Processed in accordance with the rights of the data subject 7. Security 8. No transfers outside the EEA 3
4 What happens if we get it wrong? Fraud, identity theft, distress Damage to relationships and research access Reputational damage Investigated by the Information Commissioner The University can be fined up to 500,000 The University can be sued Personal criminal offences Unauthorised disclosure Destruction of information required for a request Processing without notification Optical Express slapped over spam text nuisance 4
5 When can we be fined? (1) Serious contravention of the data protection principles by the University or someone acting for it Nature of the information Number of people involved Duration of the breach Extent of the breach For example: Loss of medical records during office move Loss of CD in absence of encryption facilities, procedures, guidance etc When can we be fined? (2) AND likely to cause substantial damage or substantial distress For example: Inaccurate information in an employment reference Exposure to identity fraud Worry and anxiety 5
6 When can we be fined? (3) AND either: The breach was deliberate E.g. collecting information for one stated purpose and using it for another OR must have known or should have known of the risk and failed to take reasonable steps to prevent it E.g. knowing that staff are using sensitive information on laptops and failing to encrypt them What are reasonable steps? Risk assessment Relevant and appropriate polices, procedures, processes, advice and guidance in place and being followed Governance and audit arrangements in place to prevent contraventions Rectifying flaws as soon as they are identified 6
7 Data protection: what you must do 1. Respond to subject access requests within 40 calendar days 2. Tell individuals what you do with information about them 3. Keep personal data securely 4. If you pass data out with the University, follow the policies and procedures, e.g. Model contract clauses Student information Internet publishing Staff Information 5. Use University retention schedules and disposal guidance Subject access requests 40 calendar days to respond 10 statutory fee Co-ordinated by practitioners and Records Management Section Ensure you are not the only person with access to any records Use shared drives Don t keep unnecessary records Be aware that people can ask to see any record Procedures at: 7
8 Collecting personal data Tell data subjects what you do with personal data Privacy notice Only use personal data for the purpose it was collected Meet the processing conditions, e.g.: Consent In pursuit of legitimate interests and does not cause unwarranted prejudice to the data subject More stringent conditions for sensitive personal data Only keep relevant and accurate personal data Marketing Marketing: privacy and electronic communications regulations (PECR) Direct marketing: The communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. Marketing is not just the offer for sale of goods and services, but also the promotion of an organisation s aims and ideals. Collecting contact details for direct marketing: 1. Obtain positive opt-in before sending any messages Think about form design for collecting contact details and optins 2. Provide privacy notice Type of marketing materials you intend to send How you intend to contact recipients Clear opt-out opportunities 8
9 Sending direct marketing communications Clearly identify the sender Traditional letters and telephone calls Screen against the MPS/TPS register Screen against our suppression list Provide a valid address or free phone number to opt-out of further letters and calls , SMS, voic / answer phone messages Obtain opt-in before sending any messages (unless soft opt-in applies) Provide an opt-out on each message Patients medical histories stored on stolen laptop A LAPTOP containing personal details of scores of NHS patients is one of nearly 200 computers either stolen or missing from public bodies in the Lothians. The computer held "extensive" data on the psychiatric and personal histories of participants in a medical study, as well as information on whether they had suffered physical or sexual abuse. Edinburgh Evening News, 25 February
10 University Policy on taking sensitive information and personal data outside the secure computing environment All medium and high risk personal data or sensitive business information must be encrypted if it leaves the University environment Classification of risk Sensitive personal data Medium High High High Fraud or identity theft data Low Medium Medium High Identifiable individual Low Low Medium High 5 9 Individuals Individuals Individuals > 1000 Individuals 10
11 High risk personal data and business information Any set of data relating to individuals Information about 50+ that could be use for fraud or identity theft Information about personal/family lives of 50+ individuals Proposals having a significant impact on 50+ individuals Sensitive personal data relating to 10+ individuals Health records of any identifiable person Security arrangements (whilst still relevant) Changes to high profile strategies, policies and procedures Medium risk personal data and business information Information relating to identifiable research participants Sensitive personal data relating to 1-9 individuals Information about personal/family lives of Information about individuals that could be used for fraud or identity theft Any set of data relating to individuals Information provided in confidence Information that could disadvantage the University s negotiations Proposals having a significant impact on individuals 11
12 Key Principles 1. Avoid using personal data wherever possible 2. Anonymise 3. Use secure shared drive 4. Use remote access facilities 5. If cannot avoid using a mobile device, encrypt Key Principles 6. Do not use personal equipment or third party hosting services 7. Avoid Encrypt Indicate content in title 8. Do not use in public places 9. Take physical security measures 10. Implement University retention and disposal policies 12
13 What do you need to do? Comply with policy Follow guidance Use recommended USB stick Encrypt laptops Take sensible precautions Passwords, autolocking Log out Destroy, don t recycle Know your software Get to know the IT Security website Model contract clauses Why? It is a legal requirement We are responsible for our contractors / suppliers use of personal data If things go wrong, the buck stops with the University How? Cover data protection requirements in the contract Use the appropriate model clauses Procedures at:
14 Disclosing student information Information about students is confidential Disclose only in line with policy/procedures or on decision of relevant head of department Decision is the responsibility of the owner of the data/function Immigration Service Embassies and high commissions Parents have no entitlement to information Do not confirm or deny that someone is a student Tell the student Procedures at: When can I disclose? To the student or their representative With student s consent To University staff for declared purposes Disclosure is required by law e.g. immigration Confirm identity of enquirer Check the law For the prevention or detection of crime Usually Registry Not a fishing exercise Serious offence Get the relevant paperwork Fraud Forward the case to Registry 14
15 Internet publishing Before publishing get consent Written or verbal consent? Appropriate to the risk Allow individuals to manage publication themselves? Ensure information can be quickly removed Procedures at: Disclosing staff information Information about staff is confidential Enquiries for information should be handled in line with policy/procedures or on decision of relevant head of section Do not confirm or deny that someone is a member of staff unless the information is publicly available If in doubt do not disclose the information and seek advice from the Records Management Section Model letters are available Procedures at:
16 When can I disclose? With the staff member s consent Disclosure required by law e.g. HESA, UKBA For the prevention and detection of crime Non-disclosure would prejudice interests Necessary to protect from fraud or misrepresentation To University staff for declared purposes Media enquiries Freedom of information requests Implications for research If promising confidentiality, be specific If using personal data, two options: Completely anonymise the data, or Comply with the Data Protection Act Collect only what you need Inform data subjects what you intend to do with the data Keep and dispose of data securely Identify and implement retention policy for research data 16
17 Implications for teaching Do not collect unnecessary student information Don t share student info outwith the University Use remote access facilities, don t store student information at home or elsewhere Take care where you access and use student info Freedom of information: principal requirements Ten years of FOI requests 0 Year Individual requests Received 440 requests in 2014 Popular topics: expenses, salaries, finance/investments, student population and conduct Publication scheme Must keep up-to-date Must publish in line with obligations Records management Helps to find information 17
18 Individual requests Anyone, anywhere can ask for anything held by the University Any question to any member of staff counts They do not have to cite freedom of information Includes information created by other organisations Cannot ask why they want to know Duty to provide advice and assistance Maximum of 20 working days to respond Must provide information or claim an exemption Exemptions are narrowly drawn Relevant exemptions Information otherwise accessible Research information Commercial interests Trade secret Actionable breach of confidence Breach of the data protection principles Effective conduct of public affairs BUT: Exemptions are narrow and subject to the public interest test 18
19 *Not* exemptions I don t like / don t trust the applicant I m too busy I don t know I can t find the information easily It s embarrassing It looks bad It is bad Good records management 1. Helps you to do your job better 2. Protects you and the University 3. Saves you time 4. Reduces costs 5. Gives you records you can rely on Creating records Organising records Retention and disposal Managing Dos and don ts 19
20 Creating records Consider the purpose of the record Ensure that the record fulfils its purpose Do not create records unnecessarily Document the University s activities Be sure of the facts Provide evidence Is it about an identifiable, living individual? Ensure that the information is relevant, accurate and not excessive Guidance at: Organising records Create files Containing information on the same issues/ responsibility/ transaction Designate a single, lead file or golden copy Storage of records Accessible to all relevant staff Format paper, electronic, microfilm, etc. Irrespective of the format, use the same records management principles 20
21 Filing Scheme LEVEL 1 LEVEL 1 LEVEL 1 LEVEL 2 LEVEL 2 LEVEL 2 LEVEL 2 LEVEL 3 LEVEL 3 LEVEL 3 LEVEL 3 LEVEL 3 LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER 4 level hierarchy: Level 1 = broad categories Levels 2-3 = more refined categories Level 4 = folders to file your records Only file records at level 4 LEVEL 3 LEVEL 4 FOLDER LEVEL 2 LEVEL 1 An example of an electronic filing scheme 21
22 How long should we keep records? Ask your practitioner about your unit s local retention schedule See Records Management Section advice: University retention schedules: Disposal: destruction or transfer to archive Risk assessment Procedures: Creating a retention schedule Duplicate records vs. golden copies Legal or regulatory requirements? Current business processes Document business processes/ decisions taken/ actions carried out for future reference Accountability purposes? Long-term research value?
23 Managing Issues to consider: Work s are University documents Work s may be open to scrutiny is not secure Recommended management techniques: File important s so that they are accessible to others Delete unwanted s When replying, keep the original text as part of your response Set up a separate folder for personal s Guidance at: Records Management Best Practice Do: Organise your records into files Store records in such a way that any other user can readily find relevant information Ensure that work done at home is added into your unit s records systems Mark personal material clearly as such Remember every is a University record Store important information with the relevant file(s) 23
24 Records Management Best Practice Don t: Keep records for any longer than they are needed Keep files that duplicate information held elsewhere in your unit (except to meet short-term operational requirements) Keep University records on personal drives, unless it is highly confidential Keep sensitive University information on your home computer Store information on your c: drive Name folders on shared drives after yourself What does freedom of information mean for you? Use the procedures available to answer requests 24
25 What does freedom of information mean for you? (1) Any request for information must be answered in 20 working days Follow the procedures to avoid complications Keep a record of what you did Contact your local practitioner: If in doubt To refuse a request When it is not in your remit to release this information What does freedom of information mean for you? (2) All documents & s may be open to scrutiny Create clear and professional information Encourage use of Internet Make sure someone can find your information in your absence Preserve & share key information Delete unnecessary information 25
26 Enforcement Complain to the Scottish Information Commissioner Personal criminal offence Destruction of information required for a request Contempt of court Advice and assistance Your local practitioner The Records Management Section recordsmanagement@ed.ac.uk
27 Questions? 27
Data Protection Policy
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationData Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk
Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationData Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana
Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act
More informationRick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk
Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationHuman Resources and Data Protection
Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council
More informationIndex. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection
Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationData Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
More informationData Compliance. And. Your Obligations
Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection
More information2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.
University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information
More informationUniversity of Limerick Data Protection Compliance Regulations June 2015
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationData Protection Workshop: How the Law Affects You Practice Questions
Data Protection Workshop: How the Law Affects You Practice Questions 1. Which of the following is not personal data covered by the Data Protection Act (pick one or more): A. Comments about an individual
More informationData Protection and Community Councils Briefing Note
Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
More informationDublin City University
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
More informationSTART UP LOANS PRIVACY AND DATA PROTECTION TERMS AND CONDITIONS
START UP LOANS PRIVACY AND DATA PROTECTION TERMS AND CONDITIONS Table of Contents 1. ABOUT THIS POLICY... 3 2. WHO WE ARE AND WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA... 3 3. WHERE WE COLLECT YOUR PERSONAL
More informationPRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;
PRIVACY POLICY Our Privacy Commitment Glo Light Pty Ltd A.C.N. 099 730 177 trading as "Lighting Partners Australia of 16 Palmer Parade, Cremorne, Victoria 3121, ( LPA ) is committed to managing your personal
More informationData Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website
Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,
More information10 DATABASE PRACTICE
10 DATABASE PRACTICE Background Marketers must comply with all relevant data protection legislation. Guidance on that legislation is available from the Information Commissioner's Office. Although data
More informationData Protection Policy
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
More informationInformation Governance Policy
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
More informationData Protection Policy
Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationData Protection Procedures
Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationData Protection and Information Security. Procedure for reporting a breach of data security. April 2013
Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is
More informationInformation Security Policy. Appendix B. Secure Transfer of Information
Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document
More informationInformation security incident reporting procedure
Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended
More informationData Protection for Charities
Data Protection for Charities CFG 15 May 2014 Overview Overview and key definitions The data protection principles Fair and lawful processing Data security and outsourcing Rights of data subjects Recent
More information1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.
MANCHESTER METROPOLITAN UNIVERSITY DATA PROTECTION POLICY This policy should be read in conjunction with the Data Protection Guidance, which is attached as: Appendix A Dealing with Personal Data Appendix
More informationLittle Marlow Parish Council Registration Number for ICO Z3112320
Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with
More informationDATA PROTECTION ACT 1998 COUNCIL POLICY
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
More informationDATA PROTECTION POLICY
MILNBANK HOUSING ASSOCIATION DATA PROTECTION POLICY LS/NOV.2011/REF.P14 1) INTRODUCTION Milnbank Housing Association recognises that the Data Protection Act 1998 is an important piece of legislation to
More informationData Protection. Policy and Application July 2009
Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:
More informationSecurity Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)
Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How
More informationOffice of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers
Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in
More informationAn overview of UK data protection law
An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationData Protection Guidance
53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection
More informationHampstead Parochial CofE Primary School Data Protection Policy Spring 2015
Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More informationHERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
More informationDATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful
More informationQuick guide to the employment practices code
Data protection Quick guide to the employment practices code Ideal for the small business Contents 3 Contents Section 1 About this guidance 4 Section 2 What is the Data Protection Act? 5 Section 3 Recruitment
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:
More informationDATA PROTECTION POLICY
Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the
More informationJohn Leggott College. Data Protection Policy. Introduction
John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and
More informationHow To Understand The Data Protection Act
DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and
More informationDerbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268
Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268 This guidance is suitable for Public Disclosure Owner of Doc:
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationUNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION
UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and
More informationOBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
More informationData Protection and Privacy Policy
Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation.
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More informationUNIVERSITY OF ST ANDREWS. EMAIL POLICY November 2005
UNIVERSITY OF ST ANDREWS EMAIL POLICY November 2005 I Introduction 1. Email is an important method of communication for University business, and carries the same weight as paper-based communications. The
More informationInformation Governance
CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationData Protection for the Guidance Counsellor. Issues To Plan For
Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)
More informationPERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationHalton Borough Council. Privacy Notice
Halton Borough Council Privacy Notice Halton Borough Council is registered as a data controller under the Data Protection Act as we collect and process personal information about you. The information we
More informationData protection policy
Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data
More informationMENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose
MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY Index: Introduction Information is a Corporate Resource Personal Responsibility Information Accessibility Keeping Records of what we do Ensuring
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationData Protection Act a more detailed guide
Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data
More informationHow To Protect Your Personal Information At A College
Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information
More informationInformation Services. Protecting information. It s everyone s responsibility
Information Services Protecting information It s everyone s responsibility Protecting information >> Contents >> Contents Introduction - we are all responsible for protecting information 03 The golden
More informationBarnet Partnership Information Sharing Protocol
Barnet Partnership Information Sharing Protocol Information Sharing Protocol V1_0C - FINAL Page 1 of 52 Version 1.0 (FINAL) Contents 1 Background... 4 1.1 The need to share information... 4 2 Scope...
More informationEMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998. Contents
EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998 Contents 1. Introduction Page 2 2. The Data Protection Act 1998 Page 2 3. Review of data used in College departments Page 3 4. Security
More informationAppendix 11 - Swiss Data Protection Act
GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the
More informationGSK Public policy positions
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationDATA PROTECTION AUDIT GUIDANCE
DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data
More informationPersonal data - Personal data identify an individual. For example, name, address, contact details, date of birth, NHS number.
Background The Data Protection Act 1998 i came into force in March 2000 and is followed by all NHS employed staff via their policies and procedures. The act applies to all personal, identifiable information
More informationSCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES
SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES 1 1 Definitions In these conditions:- We means Scotland s Commissioner for Children and Young People,
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary
More informationData Protection Policy Information for Clients
Data Protection Policy Information for Clients Foreword This document outlines Numis Securities Limited s ( the Firm or Numis ) legal obligations and policy on data protection. Further information can
More informationAlign Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
More informationINTERNATIONAL SOS. Data Protection Policy. Version 1.05
INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA
More informationSummary Electronic Information Security Policy
University of Chichester Summary Electronic Information Security Policy 2015 Summary Electronic Information Security Policy Date of Issue 24 December 2015 Policy Owner Head of ICT, Strategy and Architecture
More informationData Protection Policy
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
More informationEnterprise Information Security Procedures
GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1 Contents 1. Openwork s Information Security Policy...3 2. Enterprise Information Security Procedures...3
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationCORK INSTITUTE OF TECHNOLOGY
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
More informationCorporate Data Protection Policy
Corporate Data Protection Policy September 2010 Records Management Policy RMP-09 GOLDEN RULE When you think about Data Protection remember that we are all data subjects. Think about how appropriately and
More informationPhotography and filming in schools Code of Practice
Photography and filming in schools Code of Practice Data Protection compliance September 2010 Photography and filming in schools September 2010 1 Contents 1. About this code 3 2. Complying with the Data
More information