37. Data Protection Act - Registration by Schools

Similar documents
Information Governance Policy

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Little Marlow Parish Council Registration Number for ICO Z

Data Protection Policy

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

DATA PROTECTION POLICY

Corporate ICT & Data Management. Data Protection Policy

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Data Protection Act a more detailed guide

Data protection policy

Data Protection Policy

How To Understand The Data Protection Act

DATA PROTECTION ACT 1998 COUNCIL POLICY

Data Protection and Community Councils Briefing Note

Data Protection Policy

Rick Parsons Information Governance Officer County Hall

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

CORK INSTITUTE OF TECHNOLOGY

Data Protection Guidance

Merthyr Tydfil County Borough Council. Data Protection Policy

Guidelines on Data Protection. Draft. Version 3.1. Published by

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

HERTSMERE BOROUGH COUNCIL

Policy Document Control Page

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

DATA PROTECTION POLICY

ATMD Bird & Bird. Singapore Personal Data Protection Policy

Personal Data Act (1998:204);

Data Protection Policy

Human Resources and Data Protection

The Manchester College

DATA PROTECTION POLICY

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

Dublin City University

Data Protection in Ireland

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

Data Compliance. And. Your Obligations

DATA PROTECTION MANUAL

AlixPartners, LLP. General Data Protection Statement

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

Data Protection Policy

Data Protection Policy June 2014

technical factsheet 176

How To Protect Your Personal Information At A College

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

Data Protection. Policy and Application July 2009

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

DATA PROTECTION AUDIT GUIDANCE

How To Know What You Can And Can'T Do At The University Of England Students Union

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

The Manitowoc Company, Inc.

The Guide to Data Protection. The Guide to Data Protection

Scottish Rowing Data Protection Policy

Data Protection and Privacy Policy

Data Protection A Guide for Users

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

John Leggott College. Data Protection Policy. Introduction

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

The supplier shall have appropriate policies and procedures in place to ensure compliance with

CROATIAN PARLIAMENT 1364

PROTECTION OF PERSONAL INFORMATION BILL

Data Protection Act, 2012

TABLE OF CONTENTS. Maintaining the Quality and Integrity of Information. Notification of an Information Security Incident

DATA PROTECTION POLICY

Falkirk Council Data Protection Guidelines

Comments and proposals on the Chapter II of the General Data Protection Regulation

GSK Public policy positions

PROTECTION OF PERSONAL INFORMATION BILL

10 DATABASE PRACTICE

The Impact on Marketing-Related Activities of the Data Protection Act and Related Legislation

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Data Protection Acts 1988 and 2003: Informal Consolidation

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

ST IVES CHAMBERS POLICY ON THE COLLECTION AND USE OF DIVERSITY DATA

Data protection compliance checklist

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Human Resources Policy documents. Data Protection Policy

1. Introduction Statement of Policy The Eight Principles of Data Protection Scope Roles and Responsibilities.

DATA PROTECTION AND DATA STORAGE POLICY

CHAPTER 1 General Provisions. Article 1

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

Data Protection Good Practice Note

Data Protection Policy

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

DIFC LAW NO. 1 OF 2007

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

DATA PROTECTION POLICY

FIRST DATA CORPORATION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 February /05 LIMITE COPEN 35 TELECOM 10

Data Protection Act 1998 Codes of Practice. The Employment Practices DP Code Part 1: Recruitment and Selection

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Data Protection Policy

Transcription:

37. Data Protection Act - Registration by Schools The Data Protection Act 1998 has replaced the Data Protection Act 1984. Whereas the 1984 Act only related to personal data that could be automatically processed the current Act is wider in scope. The Act covers automated data, which includes data held on computer media, document image processing, audio/video and digitised images. It also covers 'relevant filing systems'. These can be non-automated systems and would be subject to the provisions of the Act if they are structured by reference to individuals and organised to allow ready access to specific information about individuals. Card index systems, microfiche records and personal files could thus be covered. See also: Section A28 Information Systems Section A34 - Financial Control Procedures The Data Protection Principles The main points of the eight data protection principles are given below. Other than the words in italics this is not a direct quotation from the Act. Principle 1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: A. At least one of the conditions in Schedule 2 is met, and B. In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. Schedule 2 Conditions Consent of the data subject Necessary for performance of a contract with the data subject Compliance with legal obligation To protect vital interests of the data subject Administration of justice and to carry out public functions in the public interest To pursue legitimate interests of the controller unless prejudicial to interests of the data subject. August 11 Page 1 of 5

Sensitive Data Racial or ethnic origin Political opinions or trade union membership Religious or similar beliefs Health or sexual life Criminal offences Schedule 3 Conditions Explicit consent of the data subject To comply with employers legal duty To protect vital interests of data subject or another person Carried out by certain non-profit bodies The information has been made public by the data subject On legal proceedings Exercising legal rights For medical purposes For equal opportunities monitoring As specified by Order of the Secretary of State Interpretation Personal data are not to be treated as processed fairly unless the data controller ensures, so far as practicable, that the data subjects has, is provided with, or has made available to them at least; The identity of the data controller The purpose(s) for which data will be processed Any further information necessary (to make it fair i.e. third party disclosure) Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Each intended use or disclosure is lawful August 11 Page 2 of 5

Principle 3 Principle 4 Any subsequent use or disclosure is lawful Notification is complete and accurate Notification is changed appropriately and in time Personal data should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. The holding of every item of personal data can be justified adequate, relevant, not excessive have been defined Data items need to be notified Application forms differentiate between essential and voluntary personal data. Personal data should be accurate and, where necessary, kept up to date. Validate personal data for accuracy Keep personal data up to date Allow for erasure or correction Can sustain a defence Can cope with Data subjects objections Specify remedial actions if inaccurate personal data have been used Principle 5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Review the length of time that personal data are kept Assess whether personal data are still required Fulfil any legal retention requirements Can delete personal data as necessary August 11 Page 3 of 5

Principle 6 Principle 7 Personal data shall be processed in accordance with the rights of data subjects. Remember under this act, data subjects have more rights and can claim compensation for damages or distress. The Subject access rights of 1984 have been enhanced by the 1998 act and include: Automated processing Right to object to direct marketing Right to object to other processing Individual judicial remedies For any subject access request received: The person must be informed about the data processing and disclosures Communicated in an intelligible form with sources Informed of logic behind automatic decision taking Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Security procedures should be in place and: Have a high priority and profile Identified as a staff and management responsibility Are supported by training Take note of relevant Codes of Practice/standards Are comprehensive Are monitored and reviewed Involve disaster recovery August 11 Page 4 of 5

Principle 8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Data Controller Each school should designate someone to be the Data Controller. It would be the responsibility of the Data Controller to ensure that the provisions of the Data Protection Act are fully complied with. The Data Controller should ensure that they are fully conversant with the content and interpretation of the Act. It would be appropriate for the Data Controller to ensure that all members of the school staff are aware of those aspects of the Act that may relate to them. This could take the form of training sessions and written guidelines. The Data Controller would wish to ensure that all systems that are introduced that may have Data Protection Act implications are introduced with their knowledge. August 11 Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information