Policy Procedure. Data Protection Act Contents

Transcription

1 Policy Procedure Data Protection Act 1998 New policy number: 351 Old instruction number: MAN:A030:a2 Issue date: 20 April 2004 Reviewed as current: 16 January 2015 Owner: Head of Information and Communications Technology Responsible work team: Knowledge Management Team Contents 1 Introduction Background Individuals rights to personal data The data protection principles Responsibilities What is a Subject Access Request (SAR)? Receiving a SAR Procedure for handling a SAR Exemptions Penalties Personal Record Files (PRF) Other requests for information Good records management Charging Complaints handling Information commissioner and the tribunal Notification Further guidance/advice and contact points... 9 Appendix 1 Subject access request flowchart...11 Document history...12 Review date: 16 January 2018 Last amended date: 351 Issue date: 20 April of 12

2 1 Introduction 1.1 This policy outlines the LFB s procedures when complying with the Data Protection Act 1998 and also handling a subject access request (SAR), which is a statutory right under section 7 of the Act. It will assist staff in understanding their personal responsibilities and rights under the legislation to make sure that they undertake their job roles in accordance with these requirements. Staff should be aware that when recording personal information, the information may have to be supplied to the individual, should they make a SAR. 1.2 The advice and policy statements in this policy should be followed by all employees, agency staff, contractors and Authority members. 1.3 Overall responsibility for compliance with the Data Protection Act lies with the Head of Information Management as the Authority s nominated data controller. On a day to day basis the Knowledge Management Team have responsibility for all data protection matters. 2 Background 2.1 The Data Protection Act 1998 (the DPA) provides a framework which sets out how organisations must process information about living individuals, in order to protect individuals from misuse of information that is held about them. The Act also provides individuals with a right to be provided with information that an organisation holds about them (subject to certain exemptions). The Act applies to personal information held electronically in a relevant filing system, manually and in other forms (e.g. photographs, video or audio recordings) which can constitute personal information. 2.2 The Act gives a number of rights to individuals, including the right to compensation in certain circumstances. 2.3 The Act seeks to achieve a better quality of information and processing by placing responsibilities on those in charge of personal information. These responsibilities include complying with basic principles such as keeping the information up to date and notifying the Information Commissioner as to how the personal information is used. 3 Individuals rights to personal data 3.1 All living individuals have a right to access information held about themselves, in whatever format. This could include personal information held manually (within a relevant filing system ), electronically (including s) or in any other format (e.g. photographic). To access this information, individuals can make a Subject Access Request (SAR),which is explained in section Personal data under the Act includes any information which relates to a living individual who can be identified from that information (or with other information which LFB holds). It covers information held electronically and manually. This means that all staff are affected by the provisions of the Data Protection Act in some way or another. For example, some s, a Personal Record File (PRF) or a CV may well be personal data. See appendix 1 for definitions of key terms under the Data Protection Act. 3.3 There is a specific category of personal data called sensitive personal data which is defined by the Act as consisting of information as to the data subject s: Racial or ethnic origin. Political opinions. 351 Issue date: 20 April of 12

3 Religious beliefs (or other beliefs of a similar nature). Trade union membership status. Physical or mental health or condition. Sexual life. The commission or alleged commission by an individual of any offence. Proceedings for any offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of any court in such proceedings. The principles relating to individuals rights are summarised by the Information Commissioner s Office at this link: rights/. 4 The data protection principles 4.1 The Act contains eight data protection principles, which are rules as to how personal information must be handled. These principles form the backbone of the legislation and should be followed by all employees, agency staff, contractors and Authority members. Everyone has a duty to adhere to these principles regardless of job grade/function of the individual. 4.2 The principles are as follows: No. The Act says This means For example 1 Personal data shall be processed fairly and lawfully. 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes. The data subject should be informed who the data controller is, why the information is being processed and any other information needed to ensure that the processing of the information is fair. This principle also requires that at least one of the conditions in Schedule 2 or 3 to the Act is met. You should not collect and use information unless there is a specific and valid reason for doing so. The data subject must be told what the information will be used for. Personal information collected for one reason must not be used for any other unrelated purpose. Where forms are used to process personal information include a data protection statement. To find out more, speak to the Information Access Team. For example, names and addresses held for employment purposes must not be used for a marketing campaign which is outside of this purpose, without consent of the individuals. 351 Issue date: 20 April of 12

4 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4 Personal data shall be accurate and where necessary, kept up to date. 5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6 Personal data shall be processed in accordance with the rights of data subjects under this Act. 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against loss or destruction of, or damage to, personal data. Only information needed for a specific purpose should be collected. Information that is not relevant for the purpose must not be collected simply because it might be useful in the future. Also, when filling in forms about staff, citizens or other individuals, you should only record relevant factual information not your personal remarks/opinions. Information should be recorded accurately and managers should take reasonable steps to check the accuracy of information and make sure procedures are in place to keep the information up to date. Know how long you need to keep information for and then destroy it when it passes its sell by date. See section 3: Individuals rights. Security controls need to be in place and followed by all staff. These may be technical (for example, relating to computer systems), or organisational (for example, management structures or the workplace). For example, a job application form should not ask for details that only successful applicants need to give (such as next of kin details). For example, before using information kept as part of a mailing campaign, reasonable steps should be taken to check the accuracy of the information. For example, keeping interview notes of unsuccessful candidates for longer than six months would be keeping them longer than necessary. See section 3: Individuals rights. For example, this includes access rights to personal information. Only employees who need to use personal information to carry out their work should have access to it. 351 Issue date: 20 April of 12

5 8 Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA), unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Some countries outside Europe do not have the same legal requirements to protect information. Managers should take steps to make sure personal information that is transferred outside the EEA is secure. For example, when transferring personal information to the USA appropriate security checks should be undertaken. Always consult the Information Access Team for advice in these circumstances. 5 Responsibilities 5.1 It is important that the LFB handles personal information that it holds on its staff, users and third parties in a responsible and honest way. All staff who have access to personal information in any form must adhere to the requirements as set out in the Data Protection Act Staff are personally responsible and accountable for ensuring compliance with the provisions of the Act and in particular the eight data protection principles. All staff are responsible for the application and implementation of the Act within their area of responsibility and must ensure that their staff and other persons for whom they are responsible are aware of and understand their responsibilities under the Act. 6 What is a Subject Access Request (SAR)? 6.1 A subject access request (SAR) is a request from an individual (applicant) for information which relates to them (known as personal data ). Under the Data Protection Act, we must deal with a SAR within 40 days. 6.2 It is important that staff and managers know how to recognise a SAR when they see one. Any member of staff could receive a SAR. Additionally, it is useful for staff to know that they are entitled to make a SAR and how to do this. 6.3 A SAR has to be in written form (includes /fax) from either an individual or person acting on behalf of the individual (e.g. solicitors) asking for information relating to the individual. It may be vague or very descriptive but it does not have to quote the Data Protection Act or even state that it is a SAR. It can be from anyone (e.g. a member of the public or staff). 6.4 A verbal request for personal information (whether from a member of staff or from the public) cannot be treated as a SAR. If you receive a verbal request for personal information, then you should advise the applicant to put the request in writing. (See section 18: Further advice/guidance and contact points for links). The 40 day deadline starts from the date the written request is received (not the verbal request). You should also refer the applicant to the Information Access Team who will be able to offer help and advice. 6.5 For more detail on the information an individual can expect to receive by making a SAR, refer to the Information Commissioner s Office guidance which can be accessed through this link: 7 Receiving a SAR 7.1 Staff who have received a SAR should refer it to an Information Access Manager in the Knowledge Management Team immediately in order to meet the statutory deadline for the 351 Issue date: 20 April of 12

6 provision of information (40 days from receipt of the request). Please note that some minor requests for personal information can be dealt with locally by managers see section The Authority must respond to the request promptly and in any case before 40 days of receiving the request have elapsed. 8 Procedure for handling a SAR Overview 8.1 Personal information, which may be subject to a request, could be held by a variety of departments and individuals in a range of formats. It is important that a response to the SAR is comprehensive in meeting the request and that all relevant personal information is located. 8.2 The Information Access Team is responsible for liaising with relevant members of staff from departments to co-ordinate and collate all the information which is needed to meet a SAR. Staff must co-operate with the Information Access Team in order to locate the information that they may hold. 8.3 Staff may be asked to search their files, s or other records, for information held or processed about the applicant. 8.4 The Information Access Team will follow the procedure at Appendix 1 when they receive a SAR referral. Electronic information 8.5 The Information Access Team may be required to search all drives and s in order to respond to a request for information. 8.6 Where possible the Information Access Team will obtain the consent of the individual concerned to access t their s or personal drives to search for any relevant documents. However, there may be exceptional circumstances where this is not possible, in which case access to s and drivers may be obtained in accordance with Policy number ICT acceptable use policy. Manual information 8.7 The Information Access Team will request that relevant members of staff search their manual files, outlining the boundaries of the search (e.g. date ranges or subject). 8.8 The search should only cover personal information about the individual. 8.9 In preparing to send the collated information to the applicant, the Information Access Team will filter the information to: Make sure that only the information requested is included. Remove duplication (where possible). Delete personal information relating to third parties. Seek the consent of the third party(ies) to disclose the information where simply deleting the personal information relating to the third party(ies) is not practicable. Where consent to disclose information is not obtained, consult as appropriate, (including with the Head of Information Management), as to whether it would be lawful to disclose it without consent. Consider the application of exemptions where withholding certain information may be deemed necessary. 351 Issue date: 20 April of 12

7 9 Exemptions 9.1 The Act contains exemptions to the duty not to disclose personal information and also to the right of individuals to be provided with their personal information. There are two categories of exemption: Primary exemptions 9.2 These are more likely to be claimed as they cover a wide-range of areas. 9.3 Examples of primary exemptions include: national security, health, education and social work and crime and taxation. Miscellaneous exemptions 9.4 Exemptions within this category are related to a specific purpose. For example, in the specific circumstance of providing a reference. 9.5 Examples of miscellaneous exemptions include: confidential references given by LFB, legal professional privilege, negotiations with the data subject and management forecasting/planning. 9.6 The exemptions will either apply to some or all of the information. The exemption may be relied upon to: Disclose information to persons who are not listed on the notification register, and without having to inform the data subject e.g. disclosure to prevent crime or taxation fraud. Limit the data subject s access to information held about him/herself, e.g. data relating to the health of the person. Extend the length of storage of personal data, e.g. if it is being used for statistical, historical or research purposes. 9.7 Any application of an exemption must be applied through the Information Access Team. All the exemptions to the Data Protection Act are listed below: National Security. Crime and Taxation. Health, education and social work. Regulatory activity. Journalism, literature and art. Research, history and statistics. Information available to the public by law. Disclosures required by law or made in connection with legal proceedings etc. Domestic purposes. Miscellaneous exemptions. Exemptions made by Orders under the DPA. 10 Penalties 10.1 Failure to comply with the Data Protection Act can lead to enforcement action by the Information Commissioner (for further information, refer to Section 16). Where a breach of the Act is found, the Information Commissioner may serve data controllers with: Information notices, requiring data controllers to provide information about their processing operations (unless the information is self-incriminating or the subject of legal privilege). Special information notices. Enforcement notices, requiring data controllers to comply with the data protection principles. 351 Issue date: 20 April of 12

8 10.2 In addition, under certain circumstances, the Commissioner may (with a warrant from the court) exercise powers of entry, inspection and seizure of documents and equipment The Information Commissioner can also serve a monetary penalty notice for serious breaches of the DPA, the maximum penalty being 500, Individual members of staff may also be liable in certain circumstances. For example, where they knowingly withhold information, upon request, as part of a SAR Proceedings can be brought against the Authority itself, directors, managers, or any other member of staff concerned For further details about individual s rights and compensation, refer to: 11 Personal Record Files (PRF) 11.1 All staff have a right to view their personal record file. Since the DPA applies to manual records in a relevant filing system, a request to view a PRF is also technically a SAR. This means that PRF requests should be handled in the same way as general SARs. The Human Resources and Development department are responsible for PRFs and work with the Document Management Team (in the Information and Communications Technology Department) who manage the PRFs Alternatively, PRFs can be accessed by selecting this link: then clicking on the link 'view my employment record'. 12 Other requests for information 12.1 Other requests for personal information, for example, a request from an individual asking their manager to see their interview notes or details held about them on the training database are also technically SARs. Therefore, the same rules apply If you receive a request for personal information (such as the above examples) then either: Pass this request to Information Access Team. Deal with the request if it is part of your normal working practice in accordance with the requirements of the data protection series policies If you intend to withhold the information from the individual, for whatever reason, then you should contact the Information Access Team for further advice and guidance. See section 18: Further advice/guidance and contact points. 13 Good records management 13.1 It is essential that staff and managers adopt good records management practices and processes so that personal information can be easily located, within a reasonable time, whilst ensuring that personal information is not kept for longer than necessary and is kept up to date For further information on good records management, contact the Document Management Team on extension Charging 14.1 Although the Authority is able to make a charge for handling a SAR, there is currently no charge for this. 351 Issue date: 20 April of 12

9 15 Complaints handling 15.1 If an individual is dissatisfied with the service they have received in relation to their request for information, they have a right to complain to the Authority. If an individual is dissatisfied with the information provided (or the decision not to provide certain information) then they have a right for their request to be reviewed. Complaint about standard of service: 15.2 You must deal with such complaints under Policy number 639 External compliments and complaints procedure. Complaint about the information provided: 15.3 The following link provides information about complaints relating to the handling of requests for information: 16 Information commissioner and the tribunal 16.1 The Information Commissioner (IC), a government appointee, has various responsibilities, including the issuing of guidance on the interpretation and application of the legislation The IC reports directly to Parliament. The IC s responsibilities include data protection and freedom of information. In essence the IC: Promotes good practice by data controllers, and in particular promotes compliance with the requirements of the Act. Publicises information about the Act and how it works. Encourages, where appropriate, the development of codes of practice for guidance as to good practice. Takes enforcement action where necessary The Information Tribunal hears cases about alleged breaches of the DPA and also Freedom of Information. Breaches of the Data Protection Act 1998 sometimes involve offences which are punishable. 17 Notification 17.1 The Authority is required to notify the Information Commissioner, annually, of certain details about how we process personal information. This notification process replaced registration under the 1984 Act. Notification and details of processing must be kept up to date at all times. Failure to keep notification registers up to date is an offence under the Act. The notification is written in very broad terms, but where there is a change to processing, the Information Commissioner must be informed, in order to amend the entry on the notification. You can access the LFB s notification on the Information Commissioner s website (details below) If managers think the entry on the notification is out of date (or have a query), then they should contact an Information Access Manager in the Knowledge Management Team immediately who will update the notification (if necessary). 18 Further guidance/advice and contact points Knowledge Management Team Further advice and guidance is available from the Information Access Team (extensions and 30086). Record Services For information on records management contact (extension 38380). 351 Issue date: 20 April of 12

10 Website Information Commissioner You can also find more information on hotwire and London-fire: or Detailed guidance from the Information Commissioner s office can be found on their website at Issue date: 20 April of 12

11 Appendix 1 Appendix 1 Subject access request flowchart Confirm the identity of the individual to make sure that the correct information is supplied to the correct person. - If someone (other than a solicitor) is acting on behalf of the individual, then written proof/consent from the individual must first be obtained. Where a request for information is open-ended or vague, the Information Access Team will seek further clarification to define the search. This can be done, in line with the Data Protection Act, by asking the applicant for: The date range What the information is about The Information Access Team will liaise with their data protection contact in the Legal and Democratic Services Department in cases where it is necessary to seek legal advice and agree how to handle the request. The Information Access Team will contact the relevant members of staff/departments who they believe may hold the information requested taking into account the nature or the subject of the request. Staff should respond to the Knowledge Management Team promptly and without delay, with confirmation of whether they hold the information or not. If staff do hold the information they should make it available, making sure that the information is not deleted, amended or changed in any way in order to make it suitable for the applicant. 351 Issue date: 20 April of 12

12 Document history Assessments An equality, sustainability or health, safety and welfare impact assessment and/or a risk assessment was last completed on: EIA 12/02/2008 SDIA 01/09/2011 HSWIA RA Audit trail Listed below is a brief audit trail, detailing amendments made to this policy/procedure. Page/para nos. Brief description of change Throughout Throughout, policy departmental changes - from Democratic Services Team to Knowledge Management Team Human Resources updated to Human Resources and Development in accordance with Top Management Review. Date 19/05/ /02/2011 Throughout Reviewed as current paragraphs 5.2 and 7.2 added and other 11/03/2011 minor changes made. Appendix 1 Reference to Records Services has been replaced by Document 24/11/2011 Management Team. Page 6-7 Section 13 amended. 06/12/2011 Throughout Department name change: Knowledge and Document 21/03/2012 Management Team has been replaced by Knowledge Management Team. Page 4, para 6.5 Removal of reference to PN485 after update of the policy caused 30/04/2012 the relevant content to be removed. Review dates Reviewed as current, no changes made. Review dates amended. 18/06/2014 Page Subject list and FOIA exemptions tables updated. 16/12/2014 Throughout Major changes made throughout. The content of PN381 data protection act 1988: overview has been merged into this policy. 16/01/2015 Subject list You can find this policy under the following subjects. Data protection Regulations Legal Freedom of Information Act exemptions This policy/procedure has been securely marked due to: Considered by: (responsible work team) FOIA exemption Security marking classification 351 Issue date: 20 April of 12