BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

Transcription

1 BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information on behalf of the Council. 3 Policy Summary This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act Critical Points A serious breach of this policy could lead to disciplinary and\or legal action. 5 Who does this policy apply to? This policy is applicable to anyone processing data on behalf of BHCC. 6 Is acceptance of this policy mandatory? Yes, this policy is mandatory for all users described in section 5 above.

2 BHCC Policy Contents 1 Policy Name Purpose of Policy Policy Summary Critical Points Who does this policy apply to? Is acceptance of this policy mandatory? Introduction Scope Policy Principles Risk Monitoring Responsibilities Related Policies, Standards & Guidance Terms & Definitions Enforcement Review Appendix I Document Attributes Document Information Document History Document Approval... 8 BHCC Data Protection Policy Page 2 of 8

3 7 Introduction The purpose of this policy is to define the standards and procedures expected of all Brighton & Hove City Council employees, and any third parties when processing information on behalf of the Council. This may include, but is not limited to; members, contractors and other agents. The Data Protection Act 1998 ( DPA ) establishes a framework of rights and duties which safeguard personal information. Personal information is information about a living individual who can be identified from that information. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes, against the right of the individual to have their personal information kept private. Brighton & Hove City Council is committed to protecting the privacy of individuals and handles all personal information in a manner that complies with the DPA. The Council has established this policy to support that commitment. 8 Scope Brighton and Hove City Council will comply with the requirements of the Data Protection Act. It is the personal responsibility of all employees and any third party processing information on behalf of the Council to familiarise themselves, and comply with this policy and associated guidance (where relevant to their role). This policy applies to all personal and/or sensitive personal information 9 Policy 9.1 Principles All organisations must comply with the DPA, the purpose of which is to protect the rights of the individual (referred to as data subjects under the Act) when dealing with their personal or sensitive personal information. Personal data means information about a living, identifiable individual. This could be a person s name together with any other information about them such as their address, age or telephone number. It could also be information about their hobbies or financial status, an opinion about them or some intention of action against them. BHCC Data Protection Policy Page 3 of 8

4 Sensitive personal data is specifically defined as information relating to a person s racial or ethnic origin, political opinions, religion or beliefs, membership of a trade union, physical or mental health, sexual life, alleged offence, or any proceedings for any offence. Data Protection is not a barrier to sharing information, it provides a framework to ensure that personal information is shared appropriately. There are occasions when it is appropriate, and a requirement, to share information without consent, this is when there is an overriding public interest. This would include circumstances where there is an actual or potential risk of significant harm to an adult or child or when professional judgement is required to determine whether or not an adult or child is at risk of significant harm. The DPA consists of 8 principles which must be understood by anyone processing information on behalf of the Council, and adhered to at all times. Personal data shall be processed fairly and lawfully and in particular shall not be processed unless specific conditions are met. Personal data shall only be obtained for a specific and lawful purpose or purposes. It will not be processed in any manner incompatible with that purpose/s. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Personal data shall be accurate and where necessary kept up to date. Personal data shall not be kept for longer than is necessary. Personal data shall be processed in accordance with the rights of the data subject under the act. Appropriate technical and organisational measures shall be taken to prevent unauthorised or unlawful processing and accidental loss or destruction. Personal data will not be transferred to a country outside of the European Economic Area unless that Country has similar controls to the UK deemed adequate by the Information Governance team. 9.2 Risk Brighton & Hove City Council recognises the risks associated with users handling information in order to conduct official Council business. In the event of a breach action may be taken against the Council (as the Data Controller) and/or the employee responsible for the breach. Non-compliance with this policy may result in damage or distress to an individual/individuals, financial loss, an inability to provide services to our customers, and adversely impact the Council s reputation. The Information Commissioners Office ( ICO ) has the power to issue fines of up to 500,000 per breach of the act. Alternative options include issuing a decision BHCC Data Protection Policy Page 4 of 8

5 notice requiring the Council to take a course of action, or an enforcement notice forcing the Council to take a course of action. The Council could also face personal or group litigation 9.3 Monitoring All users should be aware that in order to protect BHCC systems and to ensure that BHCC operates in accordance with its legal and regulatory obligations, system use may be logged and monitored in accordance with The Regulation of Investigatory Powers Act 2000 and The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations Communications sent or received by means of the Public Services Network ( PSN ) may also be intercepted or monitored and users should understand the consequences of non-compliance with this policy and the Acceptable Use of ICT policy, which may include disciplinary and\or legal action. 9.4 Responsibilities All users have a responsibility to read, understand and implement this policy. The Corporate Management Team ( CMT ) is responsible for ensuring that staff operate in accordance with contents of this policy. The Chief Technology Officer has overall accountability and authority for the policy and for authorising any monitoring activity. 10 Related Policies, Standards & Guidance This policy should be read in conjunction with the following BHCC Policies: Information Security Policy Information Handling Policy Data Protection Guidance in the Event of a Breach Handling Personal Information Guidance Subject Access Request Guidance Preparing Files for Disclosure Guidance This policy has been drafted in line with the recommendations and advice contained in the following documents: ISO 27002: Code of Practice for Information Security Management Information Commissioners Office best practice guidance The following is a non-exhaustive list of the statutes and statutory instruments deemed relevant to this policy: BHCC Data Protection Policy Page 5 of 8

6 The Data Protection Act 1998 The Freedom of Information Act 2000 The Human Rights Act 1998 The Regulation of Investigatory Powers Act 2000 The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations Terms & Definitions All words or phrases shown in italics are policy terms. Definitions for policy terms not specifically given in this section can be found in section 6 of the Information Security Policy. The terms data and information are used interchangeably in this policy. All terms have the same definition as those included in the Data Protection Act Enforcement Any user found deliberately contravening this policy or caught jeopardising the security of information that is the property of BHCC may be subject to disciplinary action and, where appropriate, legal action. 13 Review This document will be reviewed annually as a minimum or wherever there may be a change of influencing circumstances. BHCC Data Protection Policy Page 6 of 8

7 14 Appendix I 15 Document Attributes 15.1 Document Information Policy Name Data Protection Policy Identifier Classification Document Type Operational Policy Version 1.06 Date Created 16 July 2011 Last Review Date 15 December 2015 Next Review Date 30 November 2016 Document Author Data Protection Manager Document Owner Head of ICT Business & Governance 15.2 Document History Date Summary of changes First Draft by ICT Security & Standards Manager Revision of responsibilities. Addition of IMB Version Template change Job title change & legislation change Job title change & legislation change Minor reviews 1.06 BHCC Data Protection Policy Page 7 of 8

8 and change of IMB to IGB 15.3 Document Approval Date Name & Job Title Version Information Governance Board 1.06 End of Document BHCC Data Protection Policy Page 8 of 8