The Data Protection Act 1998

Transcription

1 The Data Protection Act Terms 2. The principles of The Data Protection Act 3. Disclosure of Information 4. Subject Access 5. Enforcement 6. Data Security 7. Recording of Contact Exemptions All Registered Individuals and Appointed Representatives of New Leaf Distribution and their associated RI s will hold client data. As such they are required to hold their own Data Protection Registration number. Registered individuals must have their own individual DP license as they keep personal files/data at their homes or in their offices. They also possess laptops and PC s that hold personal data appertaining to their clients and prospective clients and as such a DP license with the RI s home address or office address (the location where data is stored) must be in place. The AR firm or individual RI within the AR firm is required to hold his/her own license. The Data Protection Act 1998 came into force on the 1 st March The act sets out the rules for the processing of personal information in manual, computer or a range of other forms. A copy of the act has been obtained by New Leaf Distribution and is to be read by all staff on an annual basis, for remote access we recommend you visit: Your individual understanding and knowledge in relation to the act will be tested on an annual basis after training has been undertaken. 1. Terms Personal Data - The Data Protection Act applies to 'personal data' that is, data about identifiable living individuals. Sensitive Data - This refers to data held about an individual that refers to racial or ethnic origin, political opinions or trade union membership, religious or similar beliefs. Data Controller - Those who decide how and why personal data is processed are known as (Data Controllers), in our case this is New Leaf Distribution itself. The Data Controller must comply with the rules of good information handling, known as the Data Protection Principles and the other Data Protection Act requirements. Page 1 of 1

2 Data Subject - The individual about whom the information is recorded, the data subject may be a previous, current or potential customer, client, employee, consultant, supplier, dealer, broker, agent, intermediary, contractor, advisor, business contact or a person with no obvious connection to the Data Controller at all. Data Processors - Data Processors are those who process personal data on behalf of a Data Controller, however, where an employee is processing for an employer, then the employer is both controller and processor. Relevant Filing System - This refers to manual data that is readily accessible by reference to the individual. The types of documents that would fall into this category are as follows: Customer account records, investment/ mortgage applications, personnel files, medical files, contact lists and directories, compliant records and marketing lists. 2. The principles of The Data Protection Act There are 8 enforceable principles of good practice. That Data must be: Fairly and lawfully processed Processed for limited purposes and not in any manner incompatible with those purposes Adequate relevant and not excessive Accurate and up to date Not kept for any longer than is necessary Processed in line with the data subjects rights Secure Not transferred to countries with adequate protection. 3. Disclosure of Information Information may be disclosed to: To the Data Subject - Provided you are satisfied that the person making the request is the data subject. If in doubt the individual should be asked to write in for the information. To a person acting on the Data Subject's behalf - Information must not be disclosed to a sole account holder s spouse, partner or family member without the specific consent of the account holder. It can however, be disclosed to the Data Subject's solicitor, accountant, or financial advisor provided that you are satisfied that they are acting for the subject. If in doubt, ask for written confirmation. Take care in matrimonial cases where one partner may be fishing for information to use in divorce proceedings. Page 2 of 2

3 To a person acting on New Leaf Distributions behalf - For example an agent of New leaf Distribution or a solicitor going to court who would need to know that subjects details. Legal Obligations - Requests for information may come from the police, Inland Revenue, VAT inspectors etc., requests of this nature should be reported to the Operations Director. If it is in the legitimate interest of the Data Controller? Vital interests of the Data Subject? - It may be necessary to disclose information that someone is diabetic if suddenly taken ill. 4. Subject Access Individuals have several rights with regard to the way in which their personal data is processed. These are as follows: Right of subject access Right to prevent processing likely to cause damage or distress Right to prevent processing for purposes of direct marketing Rights in relation to automatic decision taking Rights to compensation where a data controller has failed to comply with certain requirements under the 1998 Act Rights to rectification, blocking, erasure or destruction of personal data If a customer wishes to make a subject access they are able to request a copy of all the information held about them on computer or manual files. It is because of this that all staff must be very careful about the types of information recorded on the account history screens. Account histories must be accurate, factual and not contain any personal opinions or comments, as the data subject is entitled to see what has been written and may be able to sue for libel should they wish. Any requests for information will be subject to a charge of and these should be directed to the Managing Director. The Data Controller must respond within 40 days of receiving the request or from the point when the fee has been received along with other information required to identify the individual. 5. Enforcement It is a criminal offence to: Contravene the registration requirements Fail to comply with an enforcement notice Procure the disclosure of personal data and sell the information procured Unlawfully obtain of disclose personal data Page 3 of 3

4 Both individual staff members and the Data Controller (New Leaf Distribution) are liable for prosecution. These offences are trialable in either Magistrates Court or the Crown Court. In Magistrates Court the maximum fine is 5000, in the Crown Court the fine is unlimited. 6. Data Security The seventh principle of the Data Protection Act states that personal data should be kept secure, with sufficient processes in place to prevent unauthorised access and any loss or damage to data. Appointed Representatives must ensure that screens containing personal data cannot be viewed by Non Appointed Representatives and that work stations are locked or closed down when left unattended. Staff must also ensure that no print outs containing personal information are left in an insecure area and that disposal of print outs is carried out correctly ensuring all waste is shredded either manually or by machine prior to being placed in waste paper bins. 7. Recording of Contact Exemptions All Data Subjects have a right to object to the use of their data for marketing purposes. There are also restrictions on marketing via telephone calls and fax messages. All staff have a duty to ensure that these exemptions are recorded correctly on the system, to comply with the wishes of the individual under the Data Protection Act Data Protection Checklist This checklist will help you to comply with the Data Protection Act. Do I really need this information about an individual? Do I know what I am holding it for? Do the people whose information I hold know that I have got it, and are they likely to know and understand what it will be used for? If I m asked to pass on personal information, would the people whose information I hold expect me to do this? Am I satisfied the information is being held securely, whether it s on paper or on computer? And what about my website? Is it secure? Is access to personal information limited to those who absolutely need to know? I am sure the personal information is accurate and up to date? Page 4 of 4

5 Do I delete or destroy information as soon as I have no more need for it? Have I trained my staff in their responsibilities under the Data Protection Act? Are they fulfilling them in practice? Do I need to notify the Information Commissioner? If so, is my notification up to date? If you have any further queries in this area please contact the compliance team. Page 5 of 5