Data Protection Policy

Transcription

1 Data Protection Policy Version: 1.0 Date: October 2013

2 Table of Contents 1 Introduction The need for a Data Protection Policy Scope Principles Staff Roles & Responsibilities Procedures The Use of Live Data for Test Purposes Policy Review and Audit Internal Disciplinary Action and Criminal Prosecution Related Documents Further Information... 6 Page 2 of 6

3 1 Introduction The need for a Data Protection Policy 1.1 The Data Protection Act 1998 places a legal obligation on all organisations to process personal data in accordance with eight Data Protection Principles set out in the Act. 1.2 Personal data is data which relates to a living individual and which allows the relevant individual to be identified either on its own or when it is combined with other personal data held. 1.3 St Helens Council must gather and process personal information about staff and clients in order to operate effectively. 1.4 The Council, acting as the custodians of personal data, recognise their legal and moral duty to ensure that personal data is handled properly and confidentially at all times. 2 Scope 2.1 This policy applies to all personal data held both on paper and by electronic means (including ). 2.2 This policy covers the whole lifecycle of personal data including: The obtaining of data; The storage and security of the data; The use and disclosure of the data; The sharing of data; The disposal and destruction of the data. 2.3 This policy applies to all users who have access to the Councils network, information and systems. 3 Principles St Helens Council will maintain appropriate safeguards to ensure adherence to the Data Protection Principles of the 1998 Act: 3.1 The collection and use of personal data will be done in such a way that recognises the Fair Processing Code, i.e. that personal data are obtained fairly and lawfully. As such the data subject should be notified of any processing by issuing a Fair Processing Notice. Particular consideration should be given to the processing of sensitive personal data. 3.2 Personal data will only be obtained and processed for the purposes specified in their Notification and in pursuit of St. Helens Council s business objectives, and should not be processed in any manner incompatible with that purpose (or those purposes) Personal data will be collected and processed on a need to know basis, ensuring that it is fit for the purpose and not excessive. 3.4 Steps will be taken to maintain the accuracy and currency of data; Page 3 of 6

4 3.5 Personal data will not be kept for longer than is necessary and will be disposed of at a time appropriate to the purpose for which it was collected; 3.6 The rights of individuals to whom personal data relate will be respected and steps taken to ensure that these rights may be exercised in accordance with the Act; 3.7 Appropriate security measures will be taken, both technically and organisationally, to protect personal data against damage, loss or abuse; 3.8 The movement of personal data will be done in a lawful way, both inside and outside the organisation, with suitable safeguards in place at all times. The rights of data subjects should also be observed and St Helens Council must ensure that these rights can be fully exercised under the DPA. These include: The right to be informed that processing is taking place; The right of access to their own personal data; The right to prevent processing in certain circumstances; The right to correct, rectify, block or erase information which is regarded as wrong information; 4 Staff Roles & Responsibilities St. Helens Council will ensure the following staff roles in relation to Data Protection are supported, including the provision of appropriate training, instruction and supervision so that their duties may be carried out effectively and consistently: 4.1 A Data Protection Officer for St. Helens Council will be responsible for gathering and disseminating information and issues relating to Data Protection; 4.2 A System & Information Management Officer for St Helens Council will carry out the day to day workings of Data Protection compliance, and audit the provisions for the same in departments; 4.3 Information Management Group Representatives will coordinate Data Protection compliance within the Council s five Departments; 4.4 Line managers will have responsibility for all matters relating to Data Protection in their operational area; 4.5 Those individuals referred to in section 2.3, acting on the Council s behalf will be responsible for safeguarding the personal data in their care. 4.6 All staff who handle personal data must undertake training in Data Protection and/or Caldicott training if appropriate. 5 Procedures To meet the requirements of the legislation the Council has produced corporate standards and procedures, which should be adhered to in relation to the following: The collection, maintenance and disposal of personal data; Page 4 of 6

5 Standards of security for both manual and computerised data, including the organisation of office accommodation to protect data; The disclosure of information to other departments and outside agencies; The disclosure of information to elected members; The handling of requests from individuals for access to their data; The setting up of new business processes; including the testing of new systems The letting of contracts; The setting up of multi-agency partnership arrangements; The handling of personal data on ; The induction and training of staff; The review of policy for accuracy and currency; Departmental reviews of procedures for data protection compliance; Audits of procedures and practice for data protection compliance. The corporate standards and procedures for the above are laid out in the Data Protection Code of Practice (see Related Documents below). 6 The Use of Live Data for Test Purposes 6.1 The processing of live data for test purposes should only take place when the Data Subject cannot be identified. 6.2 In exceptional circumstances, if the processing can be justified in the legitimate interests of the Data Controller, then the use of live data may be considered. 6.3 The decision to use live data for test purposes, must be recorded and considered by the IT Policy & Regulation Group. 7 Policy Review and Audit 7.1 This policy and related policy documents will be reviewed regularly by the System & Information Management Officer to ensure their content is accurate and up to date. 7.2 The System & Information Management Officer will co-ordinate an audit of personal data processing across the authority on a regular basis. 7.3 The System & Information Management Officer will undertake a review of the management of data protection compliance within the Council on a regular basis. 7.4 The System & Information Management Officer will undertake audits of data protection compliance within departments on a rolling basis in accordance with the general Audit schedule for the Council. 7.5 Arrangements should be made within Departments for regular reviews of procedure and practice in relation to data protection to ensure compliance with the Council s Data Protection Policy. Page 5 of 6

6 8 Internal Disciplinary Action and Criminal Prosecution 8.1 It is important that staff at all levels adhere to the requirements of this policy by following the guidelines and procedures set out in the Data Protection Code of Practice. 8.2 Negligent or deliberately destructive acts may result in disciplinary action as covered by Employees Terms and Conditions. 8.3 Under the Data Protection Act 1998 legal liability for the safeguarding of personal data falls both to the organisation and individually to its staff members. Prosecutions have been undertaken under the Data Protection Act. 9 Related Documents 9.1 The Information ICT Security Policy Framework sets out the overarching policies and governance surrounding the council s management of information and information systems (including electronic and hard copy information). 9.2 Internet & Policy - Produced by Internal Audit (Regulation and Compliance) The Internet & Policy forms part of the Information Management Framework. 9.3 The documents named above can be found on the Council s Intranet.. 10 Further Information 10.1 Further information, advice and guidance is available from the System & Information Management Officer, Internal Audit (Regulation and Compliance), Town Hall, Tel: dataprotection@sthelens.gov.uk 10.2 The Office of the Information Commissioner is the government regulator for Data Protection in the UK: Office of the Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire Tel: SK9 5AF 10.3 Information Commissioners website (ico.gov.uk) contains guidance on the implementation of the FOIA, DPA and Environmental Information Regulations Act. October 2013 Page 6 of 6