Data Protection Policy



Similar documents
HERTSMERE BOROUGH COUNCIL

Data Protection Policy

DATA PROTECTION POLICY

Data Protection Policy

Policy Document Control Page

Information Governance Policy

Corporate ICT & Data Management. Data Protection Policy

Islington Data Protection Policy. A council-wide information policy Version 1.1 June 2014

Little Marlow Parish Council Registration Number for ICO Z

Information Governance Framework. June 2015

DATA PROTECTION ACT 1998 COUNCIL POLICY

Notification of data security breaches to the Information Commissioner s

Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

DATA PROTECTION POLICY

Data Protection Policy

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Data Protection Policy

Information Governance Policy

Rick Parsons Information Governance Officer County Hall

DATA PROTECTION POLICY

Environmental Information Regulations POLICY STATEMENT

Scotland s Commissioner for Children and Young People Records Management Policy

Scottish Rowing Data Protection Policy

DATA PROTECTION POLICY

How To Share Your Health Records With The National Health Service

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

What NHS staff need to know

Data Protection Policy

DATA PROTECTION AND DATA STORAGE POLICY

INFORMATION GOVERNANCE POLICY

Information Governance Strategy & Policy

Human Resources Policy No. HR46

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Quick guide to the employment practices code

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Freedom of Information Act 2000 (FOIA) Decision notice

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

INFORMATION SECURITY MANAGEMENT POLICY

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

Data Protection Policy

Request under the Freedom of Information Act 2000 (FOIA)

1. Introduction Statement of Policy The Eight Principles of Data Protection Scope Roles and Responsibilities.

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Caedmon College Whitby

Request under the Freedom of Information Act 2000 (FOIA)

INFORMATION GOVERNANCE POLICY

DATA PROTECTION POLICY

technical factsheet 176

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

(4) THAMES VALLEY POLICE of Oxford Road, Kidlington, OX5 2NX ("Police Force"),

Information Management Strategy. July 2012

How To Protect Your Personal Information At A College

Data Protection. Policy and Application July 2009

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

Information Governance Policy

Information Security Policy

Data Protection Procedures

Criminal Injuries Compensation Authority. Data protection audit report

DATA PROTECTION POLICY

Data Protection Policy

A practical guide to IT security

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

Access to Health Records

Corporate Information Security Management Policy

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

INFORMATION GOVERNANCE POLICY

1. JOB PURPOSE 2. KEY ACCOUNTABILITIES PRINCIPAL DUTIES:

Data and Information Security Policy

Transcription:

Data Protection Policy Version: 1.0 Date: October 2013

Table of Contents 1 Introduction The need for a Data Protection Policy... 3 2 Scope... 3 3 Principles... 3 4 Staff Roles & Responsibilities... 4 5 Procedures... 4 6 The Use of Live Data for Test Purposes... 5 7 Policy Review and Audit... 5 8 Internal Disciplinary Action and Criminal Prosecution... 6 9 Related Documents... 6 10 Further Information... 6 Page 2 of 6

1 Introduction The need for a Data Protection Policy 1.1 The Data Protection Act 1998 places a legal obligation on all organisations to process personal data in accordance with eight Data Protection Principles set out in the Act. 1.2 Personal data is data which relates to a living individual and which allows the relevant individual to be identified either on its own or when it is combined with other personal data held. 1.3 St Helens Council must gather and process personal information about staff and clients in order to operate effectively. 1.4 The Council, acting as the custodians of personal data, recognise their legal and moral duty to ensure that personal data is handled properly and confidentially at all times. 2 Scope 2.1 This policy applies to all personal data held both on paper and by electronic means (including email). 2.2 This policy covers the whole lifecycle of personal data including: The obtaining of data; The storage and security of the data; The use and disclosure of the data; The sharing of data; The disposal and destruction of the data. 2.3 This policy applies to all users who have access to the Councils network, information and systems. 3 Principles St Helens Council will maintain appropriate safeguards to ensure adherence to the Data Protection Principles of the 1998 Act: 3.1 The collection and use of personal data will be done in such a way that recognises the Fair Processing Code, i.e. that personal data are obtained fairly and lawfully. As such the data subject should be notified of any processing by issuing a Fair Processing Notice. Particular consideration should be given to the processing of sensitive personal data. 3.2 Personal data will only be obtained and processed for the purposes specified in their Notification and in pursuit of St. Helens Council s business objectives, and should not be processed in any manner incompatible with that purpose (or those purposes). 3.3. Personal data will be collected and processed on a need to know basis, ensuring that it is fit for the purpose and not excessive. 3.4 Steps will be taken to maintain the accuracy and currency of data; Page 3 of 6

3.5 Personal data will not be kept for longer than is necessary and will be disposed of at a time appropriate to the purpose for which it was collected; 3.6 The rights of individuals to whom personal data relate will be respected and steps taken to ensure that these rights may be exercised in accordance with the Act; 3.7 Appropriate security measures will be taken, both technically and organisationally, to protect personal data against damage, loss or abuse; 3.8 The movement of personal data will be done in a lawful way, both inside and outside the organisation, with suitable safeguards in place at all times. The rights of data subjects should also be observed and St Helens Council must ensure that these rights can be fully exercised under the DPA. These include: The right to be informed that processing is taking place; The right of access to their own personal data; The right to prevent processing in certain circumstances; The right to correct, rectify, block or erase information which is regarded as wrong information; 4 Staff Roles & Responsibilities St. Helens Council will ensure the following staff roles in relation to Data Protection are supported, including the provision of appropriate training, instruction and supervision so that their duties may be carried out effectively and consistently: 4.1 A Data Protection Officer for St. Helens Council will be responsible for gathering and disseminating information and issues relating to Data Protection; 4.2 A System & Information Management Officer for St Helens Council will carry out the day to day workings of Data Protection compliance, and audit the provisions for the same in departments; 4.3 Information Management Group Representatives will coordinate Data Protection compliance within the Council s five Departments; 4.4 Line managers will have responsibility for all matters relating to Data Protection in their operational area; 4.5 Those individuals referred to in section 2.3, acting on the Council s behalf will be responsible for safeguarding the personal data in their care. 4.6 All staff who handle personal data must undertake training in Data Protection and/or Caldicott training if appropriate. 5 Procedures To meet the requirements of the legislation the Council has produced corporate standards and procedures, which should be adhered to in relation to the following: The collection, maintenance and disposal of personal data; Page 4 of 6

Standards of security for both manual and computerised data, including the organisation of office accommodation to protect data; The disclosure of information to other departments and outside agencies; The disclosure of information to elected members; The handling of requests from individuals for access to their data; The setting up of new business processes; including the testing of new systems The letting of contracts; The setting up of multi-agency partnership arrangements; The handling of personal data on email; The induction and training of staff; The review of policy for accuracy and currency; Departmental reviews of procedures for data protection compliance; Audits of procedures and practice for data protection compliance. The corporate standards and procedures for the above are laid out in the Data Protection Code of Practice (see Related Documents below). 6 The Use of Live Data for Test Purposes 6.1 The processing of live data for test purposes should only take place when the Data Subject cannot be identified. 6.2 In exceptional circumstances, if the processing can be justified in the legitimate interests of the Data Controller, then the use of live data may be considered. 6.3 The decision to use live data for test purposes, must be recorded and considered by the IT Policy & Regulation Group. 7 Policy Review and Audit 7.1 This policy and related policy documents will be reviewed regularly by the System & Information Management Officer to ensure their content is accurate and up to date. 7.2 The System & Information Management Officer will co-ordinate an audit of personal data processing across the authority on a regular basis. 7.3 The System & Information Management Officer will undertake a review of the management of data protection compliance within the Council on a regular basis. 7.4 The System & Information Management Officer will undertake audits of data protection compliance within departments on a rolling basis in accordance with the general Audit schedule for the Council. 7.5 Arrangements should be made within Departments for regular reviews of procedure and practice in relation to data protection to ensure compliance with the Council s Data Protection Policy. Page 5 of 6

8 Internal Disciplinary Action and Criminal Prosecution 8.1 It is important that staff at all levels adhere to the requirements of this policy by following the guidelines and procedures set out in the Data Protection Code of Practice. 8.2 Negligent or deliberately destructive acts may result in disciplinary action as covered by Employees Terms and Conditions. 8.3 Under the Data Protection Act 1998 legal liability for the safeguarding of personal data falls both to the organisation and individually to its staff members. Prosecutions have been undertaken under the Data Protection Act. 9 Related Documents 9.1 The Information ICT Security Policy Framework sets out the overarching policies and governance surrounding the council s management of information and information systems (including electronic and hard copy information). 9.2 Internet & Email Policy - Produced by Internal Audit (Regulation and Compliance) The Internet & Email Policy forms part of the Information Management Framework. 9.3 The documents named above can be found on the Council s Intranet.. 10 Further Information 10.1 Further information, advice and guidance is available from the System & Information Management Officer, Internal Audit (Regulation and Compliance), Town Hall, Tel: 01744 673474 email: dataprotection@sthelens.gov.uk 10.2 The Office of the Information Commissioner is the government regulator for Data Protection in the UK: Office of the Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire Tel: 01625 545 745 SK9 5AF 10.3 Information Commissioners website (ico.gov.uk) contains guidance on the implementation of the FOIA, DPA and Environmental Information Regulations Act. October 2013 Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information