Data Protection Policy



Similar documents
Information security incident reporting procedure

Incident reporting procedure

Merthyr Tydfil County Borough Council. Data Protection Policy

Human Resources Policy documents. Data Protection Policy

Scottish Rowing Data Protection Policy

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

So the security measures you put in place should seek to ensure that:

DATA PROTECTION POLICY

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Policy Document Control Page

Data Security and Extranet

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

DATA PROTECTION AND DATA STORAGE POLICY

Data Compliance. And. Your Obligations

Data Protection and Data security Policy

1. Introduction Statement of Policy The Eight Principles of Data Protection Scope Roles and Responsibilities.

DATA PROTECTION POLICY

University of Limerick Data Protection Compliance Regulations June 2015

Corporate ICT & Data Management. Data Protection Policy

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Data Protection Guidance

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Data Protection Policy June 2014

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

Photography and filming in schools Code of Practice

Incident Reporting Procedure

Data Protection Policy

Data Protection Good Practice Note

The Manitowoc Company, Inc.

Data Protection and Privacy Policy

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Information Governance Checklist and Privacy Impact Assessments

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

Data protection policy

CORK INSTITUTE OF TECHNOLOGY

INFORMATION GOVERNANCE STRATEGY NO.CG02

Portable Devices and Removable Media Acceptable Use Policy v1.0

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

Human Resources and Data Protection

Subject Access Request (SAR) Procedure

How To Protect Your Personal Information At A College

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

DATA PROTECTION POLICY

Information Governance Policy

Highland Council Information Security Policy

Rick Parsons Information Governance Officer County Hall

DATA PROTECTION POLICY

John Leggott College. Data Protection Policy. Introduction

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

Data Protection for the Guidance Counsellor. Issues To Plan For

How To Understand The Data Protection Act

Guidance on data security breach management

Information Security Incident Management Policy September 2013

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Information Governance Management Framework

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY

Information Governance Policy

HERTSMERE BOROUGH COUNCIL

Information Security Policy. Appendix B. Secure Transfer of Information

Data Protection in Ireland

CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

Information Incident Management Policy

Information Privacy Policy

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Little Marlow Parish Council Registration Number for ICO Z

DATA PROTECTION AUDIT GUIDANCE

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

RECORDS MANAGEMENT POLICY

Information Governance Policy

Information Governance Policy

Transcription:

Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review date December 2015 1

Introduction 1 Personal data is used throughout the Institute as part of normal day-today business. This policy sets out how NICE will meet its legal obligations under the Data Protection Act 1998 ( the DPA ) and to protect the confidentiality of sensitive personal information in light of guidance from the Department of Health. 2 The DPA applies to all personal data held in filing systems, contact databases, emails, and portable media. It includes any information that can be used to identify a living individual such as photographs, contact names and addresses for staff, committee members, stakeholders, and others with whom we do business. It also includes information processed on behalf of the Institute by third parties. 3 The Institute regards the lawful and correct treatment of personal information as essential in order to protect the interests of those whose personal data we hold and to maintain confidence in our operations. Accordingly NICE will ensure that all personal information will be processed in accordance with the Data Protection Act 1998 and guidance from the Department of Health. The data protection principles 4 NICE will adhere to the eight principles of the Data Protection Act 1998 which require that personal information is: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate Not kept for longer than necessary Processed in accordance with the data subjects rights Secure Not transferred to countries outside the European Economic Area without adequate protection Definitions 5 Personal data is defined in the Act as any information: which relate to a living individual who can be identified 2

(a) (b) from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual 6 This definition should be considered in light of the extent to which the data relates to the individual s privacy in their family life, business or professional capacity. In particular consideration should be given to whether the information is biographical in a significant sense, or whether it has the individual as its focus. 7 The Department of Health has advised that sensitive personal data is information that includes the name of an individual, combined with one or more of the following: Bank / financial / credit card details National Insurance number / Tax, benefit or pension records Travel details (for example at immigration control, or Oyster records) Passport number / information on immigration status / personal (non- NICE) travel records Health records Work record Material related to social services (including child protection) or housing case work Conviction / prison / court records / evidence Other sensitive data defined by s.2 of the Data Protection Act 1998 including information relating to: (a) racial or ethnic origin (b) political opinions (c) religious beliefs or other beliefs of a similar nature (d) membership of a trade union (e) physical or mental health or condition (f) sex life (g) the commission or alleged commission by an individual of any offence (h) any proceedings for any offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of any court in such proceedings. Responsibilities 8 The Chief Executive has overall responsibility for data protection within the Institute. This authority is delegated to the Business Planning & Resources Director who also acts as the Senior Information Risk Officer (SIRO) and Caldicott Guardian. The Governance Manager is responsible for day-to-day corporate compliance with the Data Protection Act and providing advice to staff. 3

Management of personal data 9 Personal data should only be collected where it is necessary for the work of the Institute and should be kept to the minimum necessary for that task. 10 Staff should follow good practice for handling personal data as set out in the data protection Good Practice Guide. In particular. the Institute will only use personal information where this is necessary to carry out its functions; personal data will be anonymised where it is not necessary to identify the individual for the stated purpose; information solicited in response to website or other consultations will include an appropriate data protection statement at all gateways; portable media that may contain personal data will be encrypted if held outside secure office premises based on a risk assessment; sensitive personal data will not be published on the Institute s website with the exception of personal testimonies where the individual has provided explicit written consent; all records containing personal data will be destroyed in accordance with the Institute s records retention and disposal schedules. Security of sensitive personal data 11 Sensitive personal data must not be transported outside secure office premises on portable media (eg a laptop, memory stick, CD or DVD) unless the media is encrypted or password protected. 12 All bulk transfers of other personal data, such as mailing lists, must be encrypted / password protected prior to transfer to third parties. 13 Sensitive personal data sent by post should be marked confidential. 14 All sensitive personal data held in office premises such as personnel records or unsolicited medical information contained in general enquiries must be kept securely in locked cabinets and offices, and only made available to authorised staff and third parties on a need-to-know basis. 15 Access to sensitive personal data held in electronic form must be limited to a need to know basis and managed via appropriate permissions access on the NICE network. 16 Everyone managing and handling personal information is responsible for following good data protection practice in accordance with NICE policies and guidance. 17 Any potential breach of security concerning loss, inappropriate 4

Website disclosure or misuse of sensitive personal data such as through lost or stolen laptops must be reported to the Business Planning & Resources Director or Governance Manager as soon as possible in accordance with the Incident Reporting Procedure. A summary is provided at Appendix A. 18 NICE will ensure that all relevant gateways soliciting information on the website have appropriate statements clearly explaining how personal data will be used by NICE. CCTV 19 CCTV is installed in the Manchester office for the purpose of security only and may be disclosed to the police. The Institute will ensure the operation of CCTV is in accordance with guidance provided by the Information Commissioner s Office. Sharing personal data 20 Personal data may be shared with third parties where this is necessary for the performance of the Institute s functions and in accordance with NICE data sharing protocols and guidance from the Information Commissioner s Office. Disclosure of personal information under FOI 21 In response to requests under the Freedom of Information Act ( the FOI ) NICE may disclose staff personal data. In doing so it will give due consideration to whether in all the circumstances the disclosure would be fair to the individual and balance its duty of care to staff in respect of protecting their personal information from unwarranted intrusion with its legal obligations to disclose information under FOI. 22 When handling FOI requests for personal information there will be a presumption in favour of protecting personal privacy: No HR information will be disclosed except in response to a subject access request; No personal email addresses, direct fax or DDIs will be disclosed; No names of staff will be disclosed except where they are in public facing roles. Public facing roles are those where individuals deal directly with the public and where there is a legitimate expectation that their name should be known. Job titles of staff will generally be disclosed; Names only of Directors and Board members will be disclosed No private addresses will be disclosed 5

23 In applying this default position it is recognised that names and contacts details of some staff are proactively placed in the public domain on the NICE website. Any such publicly available information will be disclosed. Subject access requests 24 Any individual, including a member of staff, has a legal right of access to their personal data held by the Institute under the Act. The Corporate Office will be responsible for managing all subject access requests by the public within statutory time frames including verification of the identity of the individual. Contracts 25 All contracts with third parties that involve the processing of personal data will include specific obligations to comply with the Data Protection Act 1998 and standard Office of Government Commerce contract clauses on security / information assurance where applicable. Review 26 This policy will be reviewed every three years. Related policies - Information Charter - Email and Internet Policy - Freedom of Information Policy - Counter Fraud Policy - Incident reporting procedure 6

Appendix A Guidance on breaches of security for personal data 1 Breaches of security can occur for a number of reasons such as loss or theft of equipment, documents left on trains or at meetings, simple human error or even hacking attacks. Data security breaches should be reported so that an assessment of the risks can be carried out and remedial action taken as necessary. 2 This guidance only applies where there is an actual or potential loss, misuse or disclosure of sensitive personal data as defined in section 3 above. It does not apply to information readily accessible in the public domain such as business names and addresses. If in doubt the event should be reported. 3 When there is a breach of security the following information should be reported to the Director of Business Planning & Resources or Governance Manager as soon as possible: When the event occurred The type and quantity of sensitive personal data involved The circumstances of the loss eg theft from car, left on train Whether the breach is thought to arise from a systemic failure Description of the media containing the data such as laptop or memory stick What security was in place eg encrypted laptop, locked car Any other information considered relevant 4 The Business Planning & Resources Director will take remedial action depending on the risk involved. An incident report should be completed by the responsible manager which may be included in the risk register and reported to the Audit Committee as necessary. 7

Appendix B - Version Control Sheet Version Date Author Replaces Comment 2 July 09 Julian Lewis Data Protection Policy 2001 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information