Purpose personal data must only be held for a clear purpose or purposes. Fairness personal data must only be processed for legitimate purposes

Similar documents
Data Protection Policy Information for Clients

Employee eligibility to work in the UK

The Guardianship Service

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

International Hints and Tips

ERASMUS+ MASTER LOANS

CABINET OFFICE THE CIVIL SERVICE NATIONALITY RULES

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Planned Healthcare in Europe for Lothian residents

ERASMUS+ MASTER LOANS

Compliance guide: Data protection. A practical guide to meeting your regulatory and best practice obligations

Credit transfer to Customer account with AS "Meridian Trade Bank" EUR, USD free of charge * Other countries currency information in the Bank

DATA PROTECTION POLICY

This factsheet contains help and information for financial advisers who wish to advise their clients who live in Europe.

Data Transfer Policy London Borough of Barnet

The coordination of healthcare in Europe

NEW PASSENGER CAR REGISTRATIONS BY ALTERNATIVE FUEL TYPE IN THE EUROPEAN UNION 1 Quarter

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

ERASMUS+ MASTER LOANS

Keeping European Consumers safe Rapid Alert System for dangerous non-food products 2014

1. Perception of the Bancruptcy System Perception of In-court Reorganisation... 4

COMMUNICATION FROM THE COMMISSION

Family benefits Information about health insurance country. Udbetaling Danmark Kongens Vænge Hillerød. A. Personal data

Energy prices in the EU Household electricity prices in the EU rose by 2.9% in 2014 Gas prices up by 2.0% in the EU

- Assessment of the application by Member States of European Union VAT provisions with particular relevance to the Mini One Stop Shop (MOSS) -

In May and July 2014 UK Visas and Immigration (UKVI) introduced changes to the right to work checks employers are required to carry out.

DATA PROTECTION POLICY

EU Lesson Plan. Name of Teacher: Sharon Goralewski School: Oakland Schools Title of Lesson Plan: The European Union: United in Diversity

SURVEY ON THE TRAINING OF GENERAL CARE NURSES IN THE EUROPEAN UNION. The current minimum training requirements for general care nurses

Labour Force Survey 2014 Almost 10 million part-time workers in the EU would have preferred to work more Two-thirds were women

CIVIL SERVICE NATIONALITY RULES GUIDANCE ON CHECKING ELIGIBILITY

Directive. for the transfer of personal data. to third countries outside the EEA

Data Protection in Ireland

Cash machine withdrawal in the EU (+Norway and Iceland)

Application Form: Receptionist / PA to the Senior Leadership Team

Analysis of statistics 2015

Balancing Discovery with EU Data Protection in International Arbitration Proceedings By Karin Retzer and Sherman Kahn

Taxation trends in the European Union EU27 tax ratio fell to 39.3% of GDP in 2008 Steady decline in top corporate income tax rate since 2000

Single Euro Payments Area

EBA REPORT ON THE BENCHMARKING OF DIVERSITY PRACTICES. EBA-Op July 2016

Applying for Pension from Abroad. Did you know that you can apply for a pension even for work you did abroad in the 1960s?

Alcohol Consumption in Ireland A Report for the Health Service Executive

Dublin City University

Size and Development of the Shadow Economy of 31 European and 5 other OECD Countries from 2003 to 2015: Different Developments

Information Governance Policy

Equity Release Schemes in the European Union

FEDERATION EUROPEENNE DE LA MANUTENTION Product Group. industrial trucks. A brief guide for identification of noncompliant. - Exhaust Emission -

41 T Korea, Rep T Netherlands T Japan E Bulgaria T Argentina T Czech Republic T Greece 50.

Definition of Public Interest Entities (PIEs) in Europe

2. Is registration with PARAFES free? Yes.

IN AN EMERGENCY / 2016

technical factsheet 176

187/ December EU28, euro area and United States GDP growth rates % change over the previous quarter

Data Protection Policy

How To Make A Positive Decision On Asylum Applications In 2014

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Health care in Scotland for UK passport holders living abroad

168/ November At risk of poverty or social exclusion 2 rate in the EU28, (% of total population)

Attendance Allowance. Benefit and support you may get if you are ill or disabled and aged 65 or over

99/ June EU28, euro area and United States GDP growth rates % change over the previous quarter

The Act imposes foreign exchange restrictions, i.e. performance of certain actions requires a relevant foreign exchange permit.

SEPA. Changes in the Payment System Implementation of the European SEPA Regulations for Kuna and Euro Payments

Corporate ICT & Data Management. Data Protection Policy

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

Statewatch Briefing ID Cards in the EU: Current state of play

Carer s Allowance and Carer s Credit

Visa Information 2012

Crystal Clear Contract Services Limited Application Form CIS/Sole Trader

for people coming to Scotland to work

Finance information for postgraduate students

International Services tariff

Waste. Copenhagen, 3 rd September Almut Reichel Project Manager Sustainable consumption and production & waste, European Environment Agency

How To Understand The Data Protection Act

Computing our Future Computer programming and coding in schools in Europe. Anja Balanskat, Senior Manager European Schoolnet

INTERNATIONAL SERVICES TARIFF

PHONE SELLING ADDITIONAL INFORMATION

4. We understand this to mean that each provider state will need to ensure indemnity arrangements are in place to cover healthcare provided in that

Social Security. A Guide to Child Benefit. The Treasury Yn Tashtey

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Exercise 39. The Euro. At the end of this exercise you will:

APPLICATION FORM FOR POST OF SENIOR CLINICAL BIOCHEMIST. NB: 5 Curriculum Vitae (unbound) must accompany this Application Form

Asylum in the EU The number of asylum applicants in the EU jumped to more than in % were Syrians

File Service Agreement ( Agreement ) of Deutsche Börse AG

Statistics on Requests for data under the Data Retention Directive

This form has two parts: PART 1: WORK IN ONE COUNTRY and PART II: WORK IN TWO OR MORE COUNTRIES.

Need to send money abroad securely?

Central Securities Depository Regulation

GUIDE TO STUDENTSHIP ELIGIBILITY

The European Union Savings Tax Directive. An historic guide

Information on insurance tax and fire protection tax for EU/EEA insurers

VISA AND RESIDENCE PERMIT FOR GERMANY FOR INTERNATIONAL STUDENTS AND Ph.D. STUDENTS

RULES FOR THE REIMBURSEMENT OF TRAVEL AND SUBSISTENCE EXPENSES FOR EXCHANGE OF OFFICIALS

RULES FOR FOREIGN PAYMENTS

Adobe Public Relations (PR) Guidelines

Pan-European opinion poll on occupational safety and health

EUROPEAN DIRECT DEBIT. ING Luxembourg s SEPA Direct Debit. European Direct Debit 1

New Relationship Service Fee - 20 EUR (one-time) Relationship Maintenance Fee - 20 EUR (yearly) Business Accounts

Chase Online SM Wire Transfer Help Guide page 1 of 16. How to Send Wire Transfers on Chase Online SM

Transcription:

For definitions of terms used in the guidance, please see the Data Protection Definitions section of the University website http://www.northumbria.ac.uk/vc/leservteam/ndp/dpdef/ The Data Protection Act 1998 requires that all staff and others who process or use any personal information must ensure that they adhere to the 8 data protection principles. The principles are based on three key concepts: Purpose personal data must only be held for a clear purpose or purposes Fairness personal data must only be processed for legitimate purposes Transparency data subjects must be given certain basic information about the personal data held about them The Eight : 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-... 2 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.... 4 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.... 4 4. Personal data shall be accurate and, where necessary, kept up to date.... 4 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.... 5 6. Personal data shall be processed in accordance with the rights of data subjects under this Act.... 5 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.... 6 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.... 6 Page 1 of 7 Updated on: 05/06/2013

The Eight : 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. SCHEDULE 2 - Conditions relevant for purposes of the first principle: processing of any personal data 1. The data subject has given his consent to the processing. 2. The processing is necessary for the performance of a contract to which the data subject is a party, 3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. 4. The processing is necessary in order to protect the vital interests of the data subject. 5. The processing is necessary for the administration of justice, 6. The processing is necessary for the purposes of legitimate interests of the Data Controller (the University). SCHEDULE3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data. 1. The data subject has given his explicit consent to the processing of the personal data. 2. The processing is necessary for the purposes of any obligations conferred or imposed by law on the data controller in connection with employment. Page 2 of 7 Updated on: 05/06/2013

3. The processing is necessary in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject, or in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld. 4. The processing is carried out in the course of its legitimate activities by anybody or association. For example Trade unions, religious or philosophical organisations or political parties. 5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject. 6. The processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), 7 The processing is necessary for the administration of justice, This means that the purpose for which personal data is being collected and processed needs to be made clear to the data subject in a fair processing notice. Personal data should only be obtained from a person who is legally authorised to supply it, which in most cases will be the data subjects themselves. Data subjects should never be deceived as to the purpose for which their personal data is held or used. University systems containing personal data should have defined: what data will be held the purposes for which the data will be held whether any of the data will be disclosed to any third party, and if so, to whom any non-obvious consequences of the processing personal data for which the data subject may withdraw consent for the University to hold/use a contact name, email address or telephone number through which the data subject can check or amend the data held, or request the deletion of that data Page 3 of 7 Updated on: 05/06/2013

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal data that has been collected and held for one purpose should not be used for another purpose. For example, data collected by a researcher for the purpose of conducting their research should not be used by a Faculty for direct marketing. Each purpose should be listed in the fair processing notice, including any intention to share the data with any third parties for legitimate purposes only, as defined in the notice. Staff should always notify the University's Records and Information Manager if they wish to collect and/or process personal data. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. The level of personal data held should only be to the extent where those details are relevant and required to fulfill the stated purpose(s). Holding personal data because it might be useful later on is not acceptable. Sensitive Personal data must only be held if absolutely necessary. For example, if a researcher does no need to know a person s ethnic origins, collecting such information would be excessive. However, if the ethnic origin was key information as part of the research, collecting it would be relevant. Staff should always notify the University's Records and Information Manager if they wish to collect and/or process personal data so that adequacy levels can be checked. Staff responsible for systems collecting or processing personal data should keep a record of the reasons why that data is required. Amendments to forms used for collection personal data should be reviewed as appropriate. 4. Personal data shall be accurate and, where necessary, kept up to date. Page 4 of 7 Updated on: 05/06/2013

Personal data must be kept up to date where the records are current, this included ensuring that data is accurate. The University has procedures in place for keeping personal data up to date (for example, students update information at (re)enrollment, Human Resources have procedures to enable staff to update their details) but it is wrong to assume that every data subject will comply with the request to update their details. Details could change at any time making the last update out of date and an individual may request that their details are changed at any time. Staff processing personal data should be vigilant and raise any concerns they have with data accuracy with the systems manager or the Records and Information Manager. Staff should comply with requests from individuals to make amendments to their data by passing the request on to the systems manager or the Records and Information Manager. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. In basic terms this means that when data is no longer needed for its purposes, it must be disposed of securely in accordance with the University Retention Schedule. Personal data must not be retained for longer than the defined time periods. Where no statutory time limit is recorded or known, Staff should consult the Records and Information Manager. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 1. The right to subject access allows data subjects to access copies of personal information the University holds about them either on computer or in a structured manual filing system. This is done via a Subject Access request (see http://www.northumbria.ac.uk/vc/leservteam/ndp/subjar) 2. Data subjects have the right to ask in writing that the University not to process information where it is likely to cause them damage or distress. Page 5 of 7 Updated on: 05/06/2013

3. Data subjects have the right to ask the University in writing to cease processing their personal data for direct marketing purposes. 4. Data subjects have the right to object to the University in writing to decisions affecting them where they are made by automated processes and can request that decisions are made with human involvement. 5. Right to compensation through the courts for any damage and distress suffered as a result of any breaches of the Data Protection Act committed by the University. 6. The right to rectification data which is inaccurate or contains expressions of opinion based on inaccurate information. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Appropriate measures should be taken by the University, irrespective of format (paper or electronic) to keep the information secure to prevent unlawful and or unauthorised processing and to ensure that the data is protected against accidental loss and destruction or damage. This obligation extends to staff working from home, traveling between meetings or using mobile devices capable of accessing University systems. Staff are required to process data securely and only in line with authorised University procedures. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Personal data must not be transferred to a country outside European Economic Area unless: explicit consent has been obtained from the data subject(s); the data has been completely anonymised; that country ensures an adequate level of protection for data subjects; Page 6 of 7 Updated on: 05/06/2013

a contract is in place with the recipient of the personal data, which puts the necessary safeguards in place. The Data Protection Act is derived from a European Directive which EEA member states have signed up to. This ensures that they all have data protection laws in place which allows the sharing of information between them in the knowledge that the data will be protected. The following are EEA members: Austria Belgium Bulgaria Czech Republic Cyprus Denmark Estonia Finland France Germany Greece Hungary Iceland Ireland Italy Latvia Liechtenstein Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden UK Remember that publication on the Internet puts information beyond the EEA Safe Harbor The USA does not have general data protection law and so the European Commission requires a 'Safe Harbor' scheme to provide an adequate level of protection for personal information. Under safe harbor, US companies sign up to agree by seven principles in relation to information handling. Explicit consent of the individual to share their personal data with US based (or none EEA) organisations should always be in place. Staff who require personal data to be shared with organisations or individuals within the USA should consult the University Records and Information Manager first. Page 7 of 7 Updated on: 05/06/2013

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information