Data Protection Policy

Similar documents
Little Marlow Parish Council Registration Number for ICO Z

HERTSMERE BOROUGH COUNCIL

Corporate ICT & Data Management. Data Protection Policy

Data Protection Policy

DATA PROTECTION POLICY

Policy Document Control Page

Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

Information Governance Policy

DATA PROTECTION ACT 1998 COUNCIL POLICY

Scottish Rowing Data Protection Policy

Data Protection Policy

Data Protection Policy

Human Resources Policy documents. Data Protection Policy

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Data Protection Policy

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

University of Limerick Data Protection Compliance Regulations June 2015

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Dublin City University

Human Resources and Data Protection

Somerset County Council - Data Protection Policy - Final

Data Protection Policy June 2014

Information Security Policy. Appendix B. Secure Transfer of Information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

DATA PROTECTION POLICY

The Manitowoc Company, Inc.

Data Protection Breach Management Policy

Data Protection Policy

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Data Protection Guidance

DATA PROTECTION POLICY

Glyncoed Primary School. Data Protection Policy

Data Protection Act a more detailed guide

Data Protection Policy

Incident reporting procedure

CORK INSTITUTE OF TECHNOLOGY

Access Control Policy

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

DATA PROTECTION POLICY

Data protection policy

Data Protection for the Guidance Counsellor. Issues To Plan For

Staple Hill Primary School. Data Protection Policy

Information Governance Framework. June 2015

DATA PROTECTION POLICY

Data Protection and Information Security Policy and Procedure

Data Protection Procedures

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

So the security measures you put in place should seek to ensure that:

Data Protection and Community Councils Briefing Note

Data Protection Policy

Rick Parsons Information Governance Officer County Hall

PRIVACY POLICY Personal information and sensitive information Information we request from you

How To Understand The Data Protection Act

technical factsheet 176

DATA PROTECTION POLICY

Version 1. Chair of Governors Signature.. Review Date: Spring term 2017

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

The post holder will be guided by general polices and regulations, but will need to establish the way in which these should be interpreted.

Data Security and Extranet

Falkirk Council Data Protection Guidelines

AlixPartners, LLP. General Data Protection Statement

Data Protection Policy

INFORMATION GOVERNANCE POLICY

Data Protection and Privacy Policy

Data Protection and Data security Policy

John Leggott College. Data Protection Policy. Introduction

DATA PROTECTION POLICY

SUBJECT ACCESS REQUEST PROCEDURE

RECORDS MANAGEMENT POLICY

Information Governance Policy

EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT Contents

Data Protection. Policy and Application July 2009

Information Governance

Data Protection in Ireland

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.

Information security incident reporting procedure

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

Health and Safety Policy Part 1 Policy and organisation

DATA PROTECTION AUDIT GUIDANCE

Remote Access Policy

DATA PROTECTION POLICY

MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose

How To Protect Your Personal Information At A College

HORIZON OIL LIMITED (ABN: )

Personal Data Protection Policy

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

DATA PROTECTION AND DATA STORAGE POLICY

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

USE OF PERSONAL MOBILE DEVICES POLICY

Health and Safety Policy and Procedures

Transcription:

Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016

Data Protection Policy Content Page 1 Purpose of the Policy 2 2 Definitions 2 3 Commitments 4 4 Responsibilities 5 5 Key Points of the Policy 8 6 Monitoring and Review 12 7 Communication to Staff 12 Appendix: Breach Procedure 1

1. Purpose of the Policy 1.1 The purpose of the policy is to demonstrate the corporate commitment of the organisation for a culture of ensuring the principles within the Data Protection Act 1998 are embedded. 1.2 The organisation collects, receives, holds and processes a wide range of personal data relating to individuals which may be held electronically or in manual systems. This policy therefore provides some clarity around the Data Protection Act 1998 and enforceable rights to individuals and those who hold personal data. 1.3 Clearly identify responsibilities within the policy and particular reference should be given to those noted within section 4 and across the key points of the policy. 2. Definitions 2.1 For the purposes of this policy and accompanying guidance the following definitions apply:- 2.2 "The Association" means Cestria Community Housing which is registered as the data controller with the Information Commissioner under the Data Protection Act 1998 to process personal data. 2.3 Employees includes all workers who are employed by the Association under a contract of employment, or are working for the Association as a consultant or are temporary staff or work through an agency and have access to data. 2.4 "ICT Users - anyone who accesses ICT systems, or uses ICT equipment, which is owned by the Association. Such users could include, but are not limited to staff, contractors, Board Members and tenants. 2.5 "ICT equipment" includes that which is owned or leased by the Association, or used in conjunction with Associations assets and must be used in line with this and other ICT policies and is in respect of the following: Internet Intranet E-Mail Telephony including Mobile Devices Computers Laptops Fax Machines Smart Phones 2

2.6 Customers" includes persons to whom the Association provides accommodation and services including tenants and leaseholders, residents and housing applicants and former and future tenants and leaseholders, residents and housing applicants. 2.7 Data Controller - the Data Controller is Cestria Community Housing Association. The designated person who has responsibility for data protection within Cestria is the Company Secretary, the Director of Finance and Corporate Services. Any questions or concerns about the interpretation or operation of this policy should in the first instance be discussed with the Company Secretary. 2.8 Data Subject is any living person who is the subject of personal data, whether in a personal or business capacity. 2.9 Personal data is any information/data relating to an individual who can be identified from the data (or from the data and other information in the possession of the Association). Personal data can be factual e.g., name, address, date of birth or it can be an opinion, e.g. performance appraisal. Such information normally has the individual as its focus and affects their privacy in some way. Personal data may be held on paper forming part of a relevant filing system, or on a computer or other electronic system e.g. CCTV. 2.10 "Processing" means any activity that involves the use of data. It includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also include transferring personal data to third parties. The processing of personal data must comply with the data protection principles under the Data Protection Act 1998. These state that the personal data must be: processed fairly and lawfully; processed for limited, specific purposes and not further processed for a purpose incompatible with the specified purposes; adequate, relevant and not excessive for the purpose; accurate and kept up to date; not kept longer than necessary for the purpose; processed in line with the data subjects right; secure; not transferred to people or organisations situated in countries outside the European economic area (EEA) without adequate protection for personal data. 3

2.11 "Sensitive personal data" includes, but is not necessarily limited to information about a person's racial or ethnic origin, their political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life or proceedings for any offence. 2.12 "Confidential information" - this comprises all commercially sensitive data whether received formally, informally, or discovered by accident. This includes, but is not necessarily limited to: any personal data about employees, board members, employment applicants, customers, consultants, contractors, suppliers, and partners; any policy, procedure, or strategy deemed by the board to be commercially sensitive; any other information, not in the public domain, that is likely to be commercially sensitive or where there is a risk of the Association being damaged by its disclosure; tenders and quotations for services and works. 2.13 Subject Access Request is a request from an individual to view the personal data that the Association holds about them. Under the Data Protection Act, any such individual known as the data subject has the right to access their own personal information. 2.14 Data breach is the intentional or unintentional release of secure information. It is a security incident in which sensitive, protected or confidential information is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so, and may include but is not limited to theft or loss of ICT equipment where such information may be stored unencrypted. 3. Commitment 3.1 The Association is committed to: 1. Ensuring compliance with the Data Protection Act 1998. 2. Providing clear guidance and training to staff on data protection issues. 3. Taking appropriate security measures to safeguard personal information. 4. Ensuring all employees and Board members ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure, and in particular that paper files and other records or documents containing personal / sensitive information are kept in a safe environment; personal data held on computers 4

and computer systems is protected by the use of safe passwords and that individual passwords are kept private. 5. Ensuring all contractors, consultants and suppliers ensure that they and all of their staff who have access to personal data held or processed for or on behalf of Cestria are aware of this policy and their responsibilities under the Data Protection Act 1998. 6. Ensuring that this policy and any associated guidance are applied appropriately and consistently. 7. Ensuring this policy is implemented in line with Cestria s Equality and Diversity Policy and associated legislation. Consideration will be given to all protected characteristics under the Equality Act 2010 to eliminate discrimination, advance equality of opportunity and foster good relationships. 8. Ensuring this policy and associated documents are available in different languages and alternative formats such as large print, audio-type etc. on request. 4. Responsibilities Cestria CHA 4.1 The Association, or its representatives, reserves the right to audit networks and systems on a periodic basis to ensure compliance with this and other relevant policies. 4.2 To meet business or service needs, or where legal issues are involved, management reserves the right to inspect such records without the user s prior knowledge or consent. Data Controller 4.3 The designated person who has responsibility for data protection within Cestria is the Company Secretary, the Director of Finance and Corporate Services. 4.4 The Data Controller has 40 calendar days to process requests made in respect of personal data (subject access requests) and respond to the applicant, once the 10.00 fee has been received. 4.5 The Data Controller will ensure appropriate information in respect of this policy is made available once everything is satisfied, in line with the key points section with support from manager where required. 5

4.6 The Data Controller is the key point of contact for any query that may arise from staff in respect of this policy and/or data protection/security and/ or data breach. 4.7 The Data Controller will investigate any data breaches he is made aware of and ensure an appropriate response. Heads of Service 4.8 Will support the Data Controller in respect of this policy when subject access requests are received. 4.9 Are responsible for those points noted within the section of Reporting a Data Breach, within this policy Managers 4.10 Will ensure appropriate information in respect of this policy is made available to support the Data Controller, in line with the key points section. 4.11 Will approve who within their service teams are able to work at home whenever this may be required. 4.12 Will agree all arrangements for monitoring, supervising, setting workloads etc. in respect of home working. 4.13 Are responsible for ensuring operational procedures within their service teams reflect the correct application of data protection requirements where personal data is collected and/or processed. 4.14 Are responsible for ensuring periodic and ongoing monitoring checks are undertaken to ensure compliance with data protection including all other relevant policies and processes. 4.15 Are responsible for those points noted within the section of Reporting a Data Breach, within this policy. Employees 4.16 Whose role requires access to personal data, must ensure they comply with this policy at all times and in particular the 8 principles of the Data Protection Act. 4.17 Ensure they comply with the Subject Access Request guidance in respect of this policy. 6

4.18 When working from home employees must seek their managers prior approval to work at home whenever this may be required in line with the ICT Acceptable Use Policy and provide their own equipment. 4.19 To ensure personal data and security, are not to release their home address and telephone number to non-members of staff. Employees are also strongly advised not to meet volunteers, clients, or customers at home. In the event that any employee feels this is essential they must gain prior approval from their line manager. 4.20 Must ensure confidentiality and therefore equipment and files should only be accessible to the employee and safeguarded from access by other members of the household and visitors. 4.21 It is the responsibility of every employee and user to know and understand this and other relevant policies, and to conduct their activities accordingly. 4.22 Ensuring data breaches within the Association are reported to the Data Controller as indicated within this policy. 4.23 Are responsible for those points noted within the section of Reporting a Data Breach, within this policy. Users 4.24 Must advise IT Support Services if they have sensitive or vulnerable data in order that they can discuss and consider encryption. 4.25 Must maintain personal safety and privacy while accessing the Internet. 4.26 It is the user s responsibility to ensure that suitable access restrictions are put in place on any smart phone/devices that are accessing work related information (emails, calendars, etc.). 4.27 Must adhere to acceptable this and other ICT policies: ICT Acceptable Use Policy E-Mail and Internet Policy Electronic Media and Data Security Policy Social Media Policy and procedures 4.28 It is the user s responsibility to ensure compliance with all applicable provision of this policy. Ignorance will not be recognised as sufficient grounds for appeal. If you have any comments or queries, or there is any provision that you do not understand you should contact your Head of Service. 7

4.29 Must never reveal their account password to others or allowing use of your account by others. This includes family and other household members if working from home. 4.30 Must not use the Associations ICT equipment to evade, or attempt to evade, the security and authentication processes. 4.31 Muse never install software applications and/or updates from the internet without the express authorisation of the IT Support Services Team. ICT Support Services Team 4.32 The ICT Support Services Team, or their representatives (e.g. an external consultancy when doing penetration tests etc.), may monitor equipment, systems and network traffic at any time for any purpose permissible by law and ensuring security of data within ICT systems or when instructed to do so, in respect of security of data, by an Executive Team Member. 5. Key Points of the Policy 5.1 General Principals 5.1.1 Through the course of our business, we will collect information about people, such as: current, past and prospective customers current, past and prospective employees current, past and prospective Board members any member of the public suppliers, contractors and consultants 5.1.2 Personal information we may hold must be dealt with properly, regardless of how the information is collected, recorded or used and regardless of whether it be on paper or on electronic systems or any other means. 5.1.3 The Data Protection Act 1998 applies to electronic and paper records containing personal data as well as data held visually in photographs or video clips (including CCTV) or sound recordings. This includes any expression of opinion about an individual and intentions towards an individual. 5.2 The Data Protection Act 1998 5.2.1 The Data Protection Act 1998 regulates the collection, holding, processing and distribution of personal data, that is, information relating to individuals which is held either electronically or in manual systems. The Act gives enforceable rights to individuals and places obligations on those who hold personal data. 8

5.2.2 In cases where an individual requests access to their personal information under this Act, Cestria must tell the applicant whether it holds the information, and must supply it within 40 calendar days, in the format requested. 5.2.3 There are eight data protection principles. These require personal information to be: fairly and lawfully processed; processed for limited, specified purposes; adequate, relevant and not excessive; accurate and kept up to date; not kept longer than necessary processed in accordance with individual rights; kept secure; not transferred abroad to countries without adequate protection. 5.3 Disclosure of information 5.3.1 Personal data and confidential information held will only be passed to others on a need to know basis and with an individual's consent unless there are exceptional circumstances. Exceptional circumstances include: where there is clear evidence of fraud; to comply with the law; in connection with legal proceedings; where it will be essential to enable the Association to carry out its duties for example where the health and safety of an individual will be at risk by not disclosing the information; personal data may only be transferred to a third party data processor if the third party enters into a contract in which it agrees to comply with appropriate security procedures and policies. 5.4 Requests for Personal Data (Subject Access Requests) 5.4.1 Guidance in respect of Subject Access Requests has been provided to every employee and must be considered, in line with this policy. 5.4.2 Everyone has the right to access personal data that is being kept about them as long as it falls within the scope of the Data Protection Act 1998. 5.4.3 Anyone may make a request for access to personal data which Cestria holds about them. Such requests must be made in writing and should be submitted to the Company Secretary. The request must include the: applicant's name; an address where the applicant can be contacted; 9

a description of the information the applicant wants 10 fee. The Data Controller has 40 calendar days to process the request and respond to the applicant, once the 10.00 fee has been received. 5.4.4 Any personal information can be requested however, the Association is allowed by the Act to withhold third party personal information if the third party has not consented to its disclosure. 5.5 Requests for Information about Other People 5.5.1 Information will only be provided where the data subject has consented or there is an exemption which applies under the Data Protection Act. Anyone who wishes to request this information must make their request in writing. The request must include the: applicant's name; An address where the applicant can be contacted; A description of the information the applicant wants The 10 fee. 5.5.2 Cestria does not need to comply with a request when they have received an identical or similar request from the same person unless a reasonable amount of time has elapsed between the initial and subsequent requests. The Data Controller then has 40 calendar days to process the request and respond to the applicant. 5.6 Data Protection 1998 - Exemptions 5.6.1 When considering a request for personal data the Data Controller may apply exemptions in the Data Protection Act 1998 which: If the personal data was disclosed would prejudice the prevention or detection of crime and the collection or assessment of tax; In connection with legal proceedings ; Would prejudice negotiations with the data subject; Are covered by legal privilege. 10

5.7 Reporting a Data Breach 5.7.1 In the event of a security breach, there are four important elements to undertake: Containment and recovery Assessment of ongoing risk Notification of breach Evaluation and response 5.7.2 The data breach process is appended to this policy, however in the event of discovering a data breach, employees (you) must: Inform the Data Controller immediately; Inform your Manager/Head of Service immediately; Take immediate steps to contain the breach; Make a preliminary assessment. Once made aware, managers and/or heads of service must: Evaluate the risks for individuals associated with the breach; Consider what personal information is involved; Determine whether the context of the information is sensitive; Establish the cause and extent of the breach; Identify what is the risk of harm; Consider breach notification; Risk analysis on a case-by-case basis; Ensure the Data Controller is updated regularly. 5.7.3 Where there is a potential harm to the data subjects, managers must: 5.8 Other linked policies Review the incident and take action to prevent future breaches; Fully investigate the cause of the breach; Consider developing a prevention plan; Option of audit to ensure the plan is implemented; Update security/response plan; Make appropriate changes to policies and procedures; Revise staff training practices. 5.8.1 In addition to adhering to the Staff Code of Conduct, other documents that must be considered along with this Data Protection Policy are shown below however this is not an exhaustive list: ICT Acceptable Use policy Electronic Data Security policy Social Media Policy 11

Clear Desk Policy Equality and Diversity policy Disciplinary policy Safeguarding policy 6 Monitoring and Review 6.1 The Director of Finance and Corporate Services will be responsible for reviewing this policy which will be reviewed every 2 years to ensure that it is effective and complies with current practice. Should there be any change to the statutory requirements a review would be carried out sooner. 7 Communication to Staff 7.1 All managers must communicate and share this policy with the team within four weeks of policy approval. Managers are required to discuss the impact and the implications of this policy at the team meeting for all staff (new and existing). 7.2 Managers are required to ensure team members understand the relevance of the policy and show their acceptance by signing below. 7.3 Managers must also keep the signed copy of the policy for future reference. 8 Acceptance of the policy: 8.1 I have read and understood the policy. I understand the impact, implications and my responsibility in relation to this policy. Team Name Signature Date 12

13

Data Security Breach Process In the event of a security breach, the following process must be followed to ensure four important elements are considered: containment and recovery, assessment of ongoing risk, notification of the breach and evaluation and response. In all cases, the Data Controller must be informed immediately, as well as your manager and head of service. The Data Controller will take the lead on all breach investigations and managers and heads of service will fully support this process and ensure the Data controller is constantly updated. Throughout the investigation, individuals will be identified by the lead in respect of actions to be taken particularly in the: containment period i.e. closing section of network, finding the lost piece of equipment or changing access codes etc. recovery period i.e. recover any losses and limit damage the breach has caused as well as the physical recovery of equipment. notification where appropriate, informing the police. In all event of a data security breach, the following process must be followed: You discover a data security breach, you must: Security Breach Inform the Data Controller Immediately and your manager and head of service Take immediate steps to contain the breach and make a preliminary assessment ensuring you keep your manager updated Once made aware, mangers and heads of service must, while ensuring the Data Controller is constantly updated: Evaluate the risks for all those associated with the breach Consider what personal information is involved Determine whether the context of the information is sensitive Establish the cause and extent of the breach Identify what the risk of harm is Consider breach notification and conduct a risk analysis on each case 14

Where there is potential harm to the data subjects, managers and heads of service must: Review the incident and take action to prevent future breaches Fully investigate the cause of the breach Consider developing a prevention plan Consider option of audit to ensure the plan is implemented Update security / response plan Make appropriate changes to policies & procedures and revise staff training practices If you require further information you must speak to the Data Controller and/or the Information Commissioner s Office (ico) website through the following link: http://ico.org.uk/for_organisations/data_protection/~/media/documents/library/data_protecti on/practical_application/guidance_on_data_security_breach_management.pdf 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information