Data Protection Policy
|
|
- Cynthia Lee
- 7 years ago
- Views:
Transcription
1 Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016
2 Data Protection Policy Content Page 1 Purpose of the Policy 2 2 Definitions 2 3 Commitments 4 4 Responsibilities 5 5 Key Points of the Policy 8 6 Monitoring and Review 12 7 Communication to Staff 12 Appendix: Breach Procedure 1
3 1. Purpose of the Policy 1.1 The purpose of the policy is to demonstrate the corporate commitment of the organisation for a culture of ensuring the principles within the Data Protection Act 1998 are embedded. 1.2 The organisation collects, receives, holds and processes a wide range of personal data relating to individuals which may be held electronically or in manual systems. This policy therefore provides some clarity around the Data Protection Act 1998 and enforceable rights to individuals and those who hold personal data. 1.3 Clearly identify responsibilities within the policy and particular reference should be given to those noted within section 4 and across the key points of the policy. 2. Definitions 2.1 For the purposes of this policy and accompanying guidance the following definitions apply:- 2.2 "The Association" means Cestria Community Housing which is registered as the data controller with the Information Commissioner under the Data Protection Act 1998 to process personal data. 2.3 Employees includes all workers who are employed by the Association under a contract of employment, or are working for the Association as a consultant or are temporary staff or work through an agency and have access to data. 2.4 "ICT Users - anyone who accesses ICT systems, or uses ICT equipment, which is owned by the Association. Such users could include, but are not limited to staff, contractors, Board Members and tenants. 2.5 "ICT equipment" includes that which is owned or leased by the Association, or used in conjunction with Associations assets and must be used in line with this and other ICT policies and is in respect of the following: Internet Intranet Telephony including Mobile Devices Computers Laptops Fax Machines Smart Phones 2
4 2.6 Customers" includes persons to whom the Association provides accommodation and services including tenants and leaseholders, residents and housing applicants and former and future tenants and leaseholders, residents and housing applicants. 2.7 Data Controller - the Data Controller is Cestria Community Housing Association. The designated person who has responsibility for data protection within Cestria is the Company Secretary, the Director of Finance and Corporate Services. Any questions or concerns about the interpretation or operation of this policy should in the first instance be discussed with the Company Secretary. 2.8 Data Subject is any living person who is the subject of personal data, whether in a personal or business capacity. 2.9 Personal data is any information/data relating to an individual who can be identified from the data (or from the data and other information in the possession of the Association). Personal data can be factual e.g., name, address, date of birth or it can be an opinion, e.g. performance appraisal. Such information normally has the individual as its focus and affects their privacy in some way. Personal data may be held on paper forming part of a relevant filing system, or on a computer or other electronic system e.g. CCTV "Processing" means any activity that involves the use of data. It includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also include transferring personal data to third parties. The processing of personal data must comply with the data protection principles under the Data Protection Act These state that the personal data must be: processed fairly and lawfully; processed for limited, specific purposes and not further processed for a purpose incompatible with the specified purposes; adequate, relevant and not excessive for the purpose; accurate and kept up to date; not kept longer than necessary for the purpose; processed in line with the data subjects right; secure; not transferred to people or organisations situated in countries outside the European economic area (EEA) without adequate protection for personal data. 3
5 2.11 "Sensitive personal data" includes, but is not necessarily limited to information about a person's racial or ethnic origin, their political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life or proceedings for any offence "Confidential information" - this comprises all commercially sensitive data whether received formally, informally, or discovered by accident. This includes, but is not necessarily limited to: any personal data about employees, board members, employment applicants, customers, consultants, contractors, suppliers, and partners; any policy, procedure, or strategy deemed by the board to be commercially sensitive; any other information, not in the public domain, that is likely to be commercially sensitive or where there is a risk of the Association being damaged by its disclosure; tenders and quotations for services and works Subject Access Request is a request from an individual to view the personal data that the Association holds about them. Under the Data Protection Act, any such individual known as the data subject has the right to access their own personal information Data breach is the intentional or unintentional release of secure information. It is a security incident in which sensitive, protected or confidential information is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so, and may include but is not limited to theft or loss of ICT equipment where such information may be stored unencrypted. 3. Commitment 3.1 The Association is committed to: 1. Ensuring compliance with the Data Protection Act Providing clear guidance and training to staff on data protection issues. 3. Taking appropriate security measures to safeguard personal information. 4. Ensuring all employees and Board members ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure, and in particular that paper files and other records or documents containing personal / sensitive information are kept in a safe environment; personal data held on computers 4
6 and computer systems is protected by the use of safe passwords and that individual passwords are kept private. 5. Ensuring all contractors, consultants and suppliers ensure that they and all of their staff who have access to personal data held or processed for or on behalf of Cestria are aware of this policy and their responsibilities under the Data Protection Act Ensuring that this policy and any associated guidance are applied appropriately and consistently. 7. Ensuring this policy is implemented in line with Cestria s Equality and Diversity Policy and associated legislation. Consideration will be given to all protected characteristics under the Equality Act 2010 to eliminate discrimination, advance equality of opportunity and foster good relationships. 8. Ensuring this policy and associated documents are available in different languages and alternative formats such as large print, audio-type etc. on request. 4. Responsibilities Cestria CHA 4.1 The Association, or its representatives, reserves the right to audit networks and systems on a periodic basis to ensure compliance with this and other relevant policies. 4.2 To meet business or service needs, or where legal issues are involved, management reserves the right to inspect such records without the user s prior knowledge or consent. Data Controller 4.3 The designated person who has responsibility for data protection within Cestria is the Company Secretary, the Director of Finance and Corporate Services. 4.4 The Data Controller has 40 calendar days to process requests made in respect of personal data (subject access requests) and respond to the applicant, once the fee has been received. 4.5 The Data Controller will ensure appropriate information in respect of this policy is made available once everything is satisfied, in line with the key points section with support from manager where required. 5
7 4.6 The Data Controller is the key point of contact for any query that may arise from staff in respect of this policy and/or data protection/security and/ or data breach. 4.7 The Data Controller will investigate any data breaches he is made aware of and ensure an appropriate response. Heads of Service 4.8 Will support the Data Controller in respect of this policy when subject access requests are received. 4.9 Are responsible for those points noted within the section of Reporting a Data Breach, within this policy Managers 4.10 Will ensure appropriate information in respect of this policy is made available to support the Data Controller, in line with the key points section Will approve who within their service teams are able to work at home whenever this may be required Will agree all arrangements for monitoring, supervising, setting workloads etc. in respect of home working Are responsible for ensuring operational procedures within their service teams reflect the correct application of data protection requirements where personal data is collected and/or processed Are responsible for ensuring periodic and ongoing monitoring checks are undertaken to ensure compliance with data protection including all other relevant policies and processes Are responsible for those points noted within the section of Reporting a Data Breach, within this policy. Employees 4.16 Whose role requires access to personal data, must ensure they comply with this policy at all times and in particular the 8 principles of the Data Protection Act Ensure they comply with the Subject Access Request guidance in respect of this policy. 6
8 4.18 When working from home employees must seek their managers prior approval to work at home whenever this may be required in line with the ICT Acceptable Use Policy and provide their own equipment To ensure personal data and security, are not to release their home address and telephone number to non-members of staff. Employees are also strongly advised not to meet volunteers, clients, or customers at home. In the event that any employee feels this is essential they must gain prior approval from their line manager Must ensure confidentiality and therefore equipment and files should only be accessible to the employee and safeguarded from access by other members of the household and visitors It is the responsibility of every employee and user to know and understand this and other relevant policies, and to conduct their activities accordingly Ensuring data breaches within the Association are reported to the Data Controller as indicated within this policy Are responsible for those points noted within the section of Reporting a Data Breach, within this policy. Users 4.24 Must advise IT Support Services if they have sensitive or vulnerable data in order that they can discuss and consider encryption Must maintain personal safety and privacy while accessing the Internet It is the user s responsibility to ensure that suitable access restrictions are put in place on any smart phone/devices that are accessing work related information ( s, calendars, etc.) Must adhere to acceptable this and other ICT policies: ICT Acceptable Use Policy and Internet Policy Electronic Media and Data Security Policy Social Media Policy and procedures 4.28 It is the user s responsibility to ensure compliance with all applicable provision of this policy. Ignorance will not be recognised as sufficient grounds for appeal. If you have any comments or queries, or there is any provision that you do not understand you should contact your Head of Service. 7
9 4.29 Must never reveal their account password to others or allowing use of your account by others. This includes family and other household members if working from home Must not use the Associations ICT equipment to evade, or attempt to evade, the security and authentication processes Muse never install software applications and/or updates from the internet without the express authorisation of the IT Support Services Team. ICT Support Services Team 4.32 The ICT Support Services Team, or their representatives (e.g. an external consultancy when doing penetration tests etc.), may monitor equipment, systems and network traffic at any time for any purpose permissible by law and ensuring security of data within ICT systems or when instructed to do so, in respect of security of data, by an Executive Team Member. 5. Key Points of the Policy 5.1 General Principals Through the course of our business, we will collect information about people, such as: current, past and prospective customers current, past and prospective employees current, past and prospective Board members any member of the public suppliers, contractors and consultants Personal information we may hold must be dealt with properly, regardless of how the information is collected, recorded or used and regardless of whether it be on paper or on electronic systems or any other means The Data Protection Act 1998 applies to electronic and paper records containing personal data as well as data held visually in photographs or video clips (including CCTV) or sound recordings. This includes any expression of opinion about an individual and intentions towards an individual. 5.2 The Data Protection Act The Data Protection Act 1998 regulates the collection, holding, processing and distribution of personal data, that is, information relating to individuals which is held either electronically or in manual systems. The Act gives enforceable rights to individuals and places obligations on those who hold personal data. 8
10 5.2.2 In cases where an individual requests access to their personal information under this Act, Cestria must tell the applicant whether it holds the information, and must supply it within 40 calendar days, in the format requested There are eight data protection principles. These require personal information to be: fairly and lawfully processed; processed for limited, specified purposes; adequate, relevant and not excessive; accurate and kept up to date; not kept longer than necessary processed in accordance with individual rights; kept secure; not transferred abroad to countries without adequate protection. 5.3 Disclosure of information Personal data and confidential information held will only be passed to others on a need to know basis and with an individual's consent unless there are exceptional circumstances. Exceptional circumstances include: where there is clear evidence of fraud; to comply with the law; in connection with legal proceedings; where it will be essential to enable the Association to carry out its duties for example where the health and safety of an individual will be at risk by not disclosing the information; personal data may only be transferred to a third party data processor if the third party enters into a contract in which it agrees to comply with appropriate security procedures and policies. 5.4 Requests for Personal Data (Subject Access Requests) Guidance in respect of Subject Access Requests has been provided to every employee and must be considered, in line with this policy Everyone has the right to access personal data that is being kept about them as long as it falls within the scope of the Data Protection Act Anyone may make a request for access to personal data which Cestria holds about them. Such requests must be made in writing and should be submitted to the Company Secretary. The request must include the: applicant's name; an address where the applicant can be contacted; 9
11 a description of the information the applicant wants 10 fee. The Data Controller has 40 calendar days to process the request and respond to the applicant, once the fee has been received Any personal information can be requested however, the Association is allowed by the Act to withhold third party personal information if the third party has not consented to its disclosure. 5.5 Requests for Information about Other People Information will only be provided where the data subject has consented or there is an exemption which applies under the Data Protection Act. Anyone who wishes to request this information must make their request in writing. The request must include the: applicant's name; An address where the applicant can be contacted; A description of the information the applicant wants The 10 fee Cestria does not need to comply with a request when they have received an identical or similar request from the same person unless a reasonable amount of time has elapsed between the initial and subsequent requests. The Data Controller then has 40 calendar days to process the request and respond to the applicant. 5.6 Data Protection Exemptions When considering a request for personal data the Data Controller may apply exemptions in the Data Protection Act 1998 which: If the personal data was disclosed would prejudice the prevention or detection of crime and the collection or assessment of tax; In connection with legal proceedings ; Would prejudice negotiations with the data subject; Are covered by legal privilege. 10
12 5.7 Reporting a Data Breach In the event of a security breach, there are four important elements to undertake: Containment and recovery Assessment of ongoing risk Notification of breach Evaluation and response The data breach process is appended to this policy, however in the event of discovering a data breach, employees (you) must: Inform the Data Controller immediately; Inform your Manager/Head of Service immediately; Take immediate steps to contain the breach; Make a preliminary assessment. Once made aware, managers and/or heads of service must: Evaluate the risks for individuals associated with the breach; Consider what personal information is involved; Determine whether the context of the information is sensitive; Establish the cause and extent of the breach; Identify what is the risk of harm; Consider breach notification; Risk analysis on a case-by-case basis; Ensure the Data Controller is updated regularly Where there is a potential harm to the data subjects, managers must: 5.8 Other linked policies Review the incident and take action to prevent future breaches; Fully investigate the cause of the breach; Consider developing a prevention plan; Option of audit to ensure the plan is implemented; Update security/response plan; Make appropriate changes to policies and procedures; Revise staff training practices In addition to adhering to the Staff Code of Conduct, other documents that must be considered along with this Data Protection Policy are shown below however this is not an exhaustive list: ICT Acceptable Use policy Electronic Data Security policy Social Media Policy 11
13 Clear Desk Policy Equality and Diversity policy Disciplinary policy Safeguarding policy 6 Monitoring and Review 6.1 The Director of Finance and Corporate Services will be responsible for reviewing this policy which will be reviewed every 2 years to ensure that it is effective and complies with current practice. Should there be any change to the statutory requirements a review would be carried out sooner. 7 Communication to Staff 7.1 All managers must communicate and share this policy with the team within four weeks of policy approval. Managers are required to discuss the impact and the implications of this policy at the team meeting for all staff (new and existing). 7.2 Managers are required to ensure team members understand the relevance of the policy and show their acceptance by signing below. 7.3 Managers must also keep the signed copy of the policy for future reference. 8 Acceptance of the policy: 8.1 I have read and understood the policy. I understand the impact, implications and my responsibility in relation to this policy. Team Name Signature Date 12
14 13
15 Data Security Breach Process In the event of a security breach, the following process must be followed to ensure four important elements are considered: containment and recovery, assessment of ongoing risk, notification of the breach and evaluation and response. In all cases, the Data Controller must be informed immediately, as well as your manager and head of service. The Data Controller will take the lead on all breach investigations and managers and heads of service will fully support this process and ensure the Data controller is constantly updated. Throughout the investigation, individuals will be identified by the lead in respect of actions to be taken particularly in the: containment period i.e. closing section of network, finding the lost piece of equipment or changing access codes etc. recovery period i.e. recover any losses and limit damage the breach has caused as well as the physical recovery of equipment. notification where appropriate, informing the police. In all event of a data security breach, the following process must be followed: You discover a data security breach, you must: Security Breach Inform the Data Controller Immediately and your manager and head of service Take immediate steps to contain the breach and make a preliminary assessment ensuring you keep your manager updated Once made aware, mangers and heads of service must, while ensuring the Data Controller is constantly updated: Evaluate the risks for all those associated with the breach Consider what personal information is involved Determine whether the context of the information is sensitive Establish the cause and extent of the breach Identify what the risk of harm is Consider breach notification and conduct a risk analysis on each case 14
16 Where there is potential harm to the data subjects, managers and heads of service must: Review the incident and take action to prevent future breaches Fully investigate the cause of the breach Consider developing a prevention plan Consider option of audit to ensure the plan is implemented Update security / response plan Make appropriate changes to policies & procedures and revise staff training practices If you require further information you must speak to the Data Controller and/or the Information Commissioner s Office (ico) website through the following link: on/practical_application/guidance_on_data_security_breach_management.pdf 15
Little Marlow Parish Council Registration Number for ICO Z3112320
Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with
More informationHERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationData Protection Policy
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationInformation Governance Policy
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
More informationDATA PROTECTION ACT 1998 COUNCIL POLICY
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationData Protection Policy
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
More informationData Protection Policy
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationUniversity of Limerick Data Protection Compliance Regulations June 2015
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
More informationHampstead Parochial CofE Primary School Data Protection Policy Spring 2015
Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school
More informationData Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk
Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data
More informationDublin City University
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
More informationHuman Resources and Data Protection
Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationInformation Security Policy. Appendix B. Secure Transfer of Information
Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationDATA PROTECTION POLICY
MILNBANK HOUSING ASSOCIATION DATA PROTECTION POLICY LS/NOV.2011/REF.P14 1) INTRODUCTION Milnbank Housing Association recognises that the Data Protection Act 1998 is an important piece of legislation to
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationData Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website
Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,
More informationData Protection Guidance
53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection
More informationDATA PROTECTION POLICY
Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection
More informationGlyncoed Primary School. Data Protection Policy
Glyncoed Primary School Data Protection Policy Date agreed: March 2015 Review date: March 2017 1 Data Protection Policy Glyncoed Primary School collects and uses personal information about staff, pupils,
More informationData Protection Act a more detailed guide
Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data
More informationData Protection Policy
Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order
More informationIncident reporting procedure
Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance
More informationCORK INSTITUTE OF TECHNOLOGY
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationGUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the
More informationData protection policy
Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data
More informationData Protection for the Guidance Counsellor. Issues To Plan For
Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)
More informationStaple Hill Primary School. Data Protection Policy
Staple Hill Primary School Data Protection Policy Staple Hill Primary School collects and uses personal information about staff, pupils, parents and other individuals who come into contact with the school.
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationData Protection and Information Security Policy and Procedure
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
More informationData Protection Procedures
Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council
More informationDATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;
DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary
More informationData Protection and Information Security. Procedure for reporting a breach of data security. April 2013
Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationData Protection and Community Councils Briefing Note
Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.
More informationData Protection Policy
Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;
More informationRick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk
Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The
More informationPRIVACY POLICY Personal information and sensitive information Information we request from you
PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage
More informationHow To Understand The Data Protection Act
DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Document Management: Date Policy Approved: 29 April 2015 Date Amended: Next Review Date: April 2017 Version: 1 Approving Body: Resources Committee 1 1. Introduction The Data Protection
More informationVersion 1. Chair of Governors Signature.. Review Date: Spring term 2017
Version 1 Chair of Governors Signature.. Date of Adoption/Ratification: 4 th February 2015 Review Date: Spring term 2017 Purpose Cliff Park School s Trust collects and uses personal information about staff,
More informationDATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful
More informationThe post holder will be guided by general polices and regulations, but will need to establish the way in which these should be interpreted.
JOB DESCRIPTION Job Title: Membership and Events Manager Band: 7 Hours: 37.5 Location: Elms, Tatchbury Mount Accountable to: Head of Strategic Relationship Management 1. MAIN PURPOSE OF JOB The post holder
More informationData Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
More informationFalkirk Council Data Protection Guidelines
Falkirk Council Data Protection Guidelines Contents Contents 2 Objectives 3 What does the Data Protection Act 1998 do? 3 Who is who under the Data Protection Act 1998? 4 Definitions 4 The Eight Principles
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationData Protection Policy
Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title
More informationData Protection and Privacy Policy
Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation.
More informationData Protection and Data security Policy
Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us
More informationJohn Leggott College. Data Protection Policy. Introduction
John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
More informationSUBJECT ACCESS REQUEST PROCEDURE
SUBJECT ACCESS REQUEST PROCEDURE Document History Document Reference: Document Purpose: IG31 This procedure sets out the responsibility for staff when receiving requests for information provided under
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationInformation Governance Policy
Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups
More informationEMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998. Contents
EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998 Contents 1. Introduction Page 2 2. The Data Protection Act 1998 Page 2 3. Review of data used in College departments Page 3 4. Security
More informationData Protection. Policy and Application July 2009
Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:
More informationInformation Governance
CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More information1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.
MANCHESTER METROPOLITAN UNIVERSITY DATA PROTECTION POLICY This policy should be read in conjunction with the Data Protection Guidance, which is attached as: Appendix A Dealing with Personal Data Appendix
More informationInformation security incident reporting procedure
Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended
More informationData Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana
Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act
More informationPERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationUNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY
UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY 1. Purpose 1.1 The Data Protection Act 1998 ( the Act ) has two principal purposes: i) to regulate the use by those (known as data controllers) who obtain,
More informationHealth and Safety Policy Part 1 Policy and organisation
Health and Safety Policy Part 1 Policy and organisation ICO H&S Policy Policy and organisation, June 2014 Page 1 of 6 1. Scope 1.1 The Health and Safety policy applies to all employees of the Information
More informationDATA PROTECTION AUDIT GUIDANCE
DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data
More informationRemote Access Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY The Hollandse School Limited (hereinafter HSL ) is an educational institution with a history of over 93 years, and is one of the largest Dutch language schools abroad where the International
More informationMENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose
MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY Index: Introduction Information is a Corporate Resource Personal Responsibility Information Accessibility Keeping Records of what we do Ensuring
More informationHow To Protect Your Personal Information At A College
Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information
More informationHORIZON OIL LIMITED (ABN: 51 009 799 455)
HORIZON OIL LIMITED (ABN: 51 009 799 455) CORPORATE CODE OF CONDUCT Corporate code of conduct Page 1 of 7 1 Introduction This is the corporate code of conduct ( Code ) for Horizon Oil Limited ( Horizon
More informationPersonal Data Protection Policy
Personal Data Protection Policy Please take a moment to read the following Policy. If there is anything you do not understand then please contact us. We are committed to protecting privacy. This Personal
More informationProcedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
More informationAll CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.
Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,
More information2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.
University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationOBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
More informationUSE OF PERSONAL MOBILE DEVICES POLICY
Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014
More informationHealth and Safety Policy and Procedures
Health and Safety Policy and Procedures Health & Safety Policy & Procedures Contents s REVISION AND AMENDMENT RECORD : Summary of Change Whole Policy 4.0 05 Nov 08 Complete re-issue Whole Policy 4.1 10
More information