The Data Protection Act 1998 Clare Hall Data Protection Policy

Similar documents
DATA PROTECTION POLICY

PS Mailing Services Ltd Data Protection Policy May 2018

DATA PROTECTION POLICY THE HOLST GROUP

St Bernard s Primary School Data Protection Policy

Data Protection Policy

A Homeopath Registered Homeopath

UWTSD Group Data Protection Policy

Data Protection Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

The Data Protection Act 1998

Data protection. 3 April 2018

Castle View Primary School Data Protection Policy

Employee Security Awareness Training Program

Element Finance Solutions Ltd Data Protection Policy

Heavers Farm Primary School DATA PROTECTION AND INFORMATION MANAGEMENT POLICY Updated 2017

Data protection policy

Subject: Kier Group plc Data Protection Policy

Data Protection Policy

Information Security Policy

UWC International Data Protection Policy

INFORMATION SECURITY AND RISK POLICY

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Red Flags/Identity Theft Prevention Policy: Purpose

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Data Processing Agreement

Creative Funding Solutions Limited Data Protection Policy

UKIP needs to gather and use certain information about individuals.

Data Breach Incident Management Policy

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

PCA Staff guide: Information Security Code of Practice (ISCoP)

Clyst Vale Community College Data Breach Policy

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Privacy Policy Inhouse Manager Ltd

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice

Identity Theft Prevention Policy

Enviro Technology Services Ltd Data Protection Policy

Introduction to the Personal Data (Privacy) Ordinance

Information Security Policy for Associates and Contractors

DATA SUBJECT ACCESS REQUEST PROCEDURE

INFORMATION ASSET MANAGEMENT POLICY

Data Breach Notification Policy

Data Protection. Policy

1.7 The Policy sets out the manner by which the University will respond to Subject Access Requests.

University Facilities Management (UFM) Access Control Procedure (non-residence areas)

Information Security Policy

DATA BREACH POLICY [Enniskillen Presbyterian Church]

Little Blue Studio. Data Protection and Security Policy. Updated May 2018

Islam21c.com Data Protection and Privacy Policy

Habitat for Humanity Singapore Ltd

Credit Card Data Compromise: Incident Response Plan

This procedure sets out the usage of mobile CCTV units within Arhag.

DCU Guide to Subject Access Requests. Under Irish Data Protection Legislation

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Data Protection Policy

Freedom of Information and Protection of Privacy (FOIPOP)

HPE DATA PRIVACY AND SECURITY

Pathways CIC Privacy Policy. Date Issued: May Date to be Reviewed: May Issued by Yvonne Clarke

Data Subject Access Request

Data Protection Policy

Subject: University Information Technology Resource Security Policy: OUTDATED

Data Protection policy

INFORMATION TO BE GIVEN 2

Date of Next Review: May Cross References: Electronic Communication Systems- Acceptable Use policy (A.29) Highway Traffic Act

Wesley House data protection statement and privacy notice (short-course delegates)

GDPR Draft: Data Access Control and Password Policy

General Data Protection Regulation

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Data Processor Agreement

Made In Hackney Data Protection Policy Last Updated:

GDPR Compliance. Clauses

NDIS Quality and Safeguards Commission. Incident Management System Guidance

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Data Protection policy (GDPR)

DATA PROTECTION IN RESEARCH

Data Protection Policy

Healing School - A Science Academy GDPR Policy (Exams) 2018/19

Ulster University Policy Cover Sheet

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Cell and PDAs Policy

NCAS SUBJECT ACCESS REQUEST FORM (DATA PROTECTION ACT 1998)

SPRING-FORD AREA SCHOOL DISTRICT

Apex Information Security Policy

Red Flags Program. Purpose

Access Control Policy

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

What options NETIM offers, including those related to gaining of access to and updating of information.

Information Security Incident Response Plan

Governance of the use of as a valid UNC communication

General Data Protection Regulation policy (exams) 2017/18

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Introduction to the Personal Data (Privacy) Ordinance

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

This information accompanies the online data sharing best practice guidance commissioned by ACE

Institute of Technology, Sligo. Information Security Policy. Version 0.2

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Just-Property Ltd GDPR Client Data Register

SAFE USE OF MOBILE PHONES AT WORK POLICY

Transcription:

The Data Protection Act 1998 Clare Hall Data Protection Policy Introduction This document is a guide to the main requirements of the new Data Protection Act (DPA) that came into force on 24th October 2001. Full details can be found on www.dataprotection.co.uk. College Staff with access to personal data need to act in accordance with the terms of the Act, and must sign the certificate of compliance at Appendix 1. The Act has wide-reaching implications and the purpose of the document is to introduce its the key elements and, most importantly, to outline the ways in which each Staff member either in possession of, or collecting so-called open data (see below) should act, in order to be DPA compliant. The main requirements of the Act are that data should be: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate Not kept longer than necessary Processed in accordance with the data subject's rights Secure Not transferred to approved countries without adequate protection Data Protection Responsibilities within Clare Hall Data protection within the College is the responsibility of the Bursar (Data Protection Officer - DPO), with the Senior Tutor as his or her Deputy. Both posts are ex officio. Staff Responsibilities All staff will, through appropriate training and responsible management: Observe all forms of guidance, codes of practice and procedures about the collection and use of personal information. Understand fully the purposes for which the College uses personal information. Collect and process appropriate information only in accordance with the purposes for which it is to be used by the College to meet its needs and legal requirements. Only access personal data that they require to carry out their jobs properly. Ensure the information is recorded accurately and correctly in the College s systems by following its standard format (as attached). Ensure the information is destroyed when it is no longer required. - 1 -

On receipt of a request (Subject Access Request) from an individual for information held about them by or on behalf of the College, immediately notify the Data Protection Officer, deal with all personal information in accordance with the College s security procedures. Any breach of the 1998 Act and the College s data protection policy shall be viewed as gross misconduct and may lead to dismissal. Such training will be fully documented for all staff. Types of Data The only data that has the potential to fall within the terms of the Act is personal data; that is, data pertaining to a living person. Personal data can be divided into four categories: Open Data. That is data by which individuals can be readily identified. This data does not have to have individuals names attached to it. It could be that the constellation of data is such that it could only refer to a small group of people (in practice 50 or less), thus making individual identification a significant risk. Coded Data. That is data where the main data set has a code that identifies an individual and the code decryption that links to the individual s name is kept separate from the data set within the same institution. To all intents and purposes this data should be treated the same way as open data under the terms of the Act. Linked Anonymised Data. This is a particular form of coded data, where the code is kept by another data controller, such as the University. Unlinked Anonymised Data. This data has no individual reference within it and does not link to any code elsewhere. Such data has no implications for data protection and falls outside of the remit of the Act. Since the vast majority of any data handled by the College will be open data, the rest of the document will deal only with its treatment. Essentially, if data can be linked to any individual in any way it should be treated as open data and follow the guidelines in this document. Further advice may be obtained from one of the Data Protection Officers. Basic protection of open data The following rules apply to all open data: All open electronic data should be stored on code-word protected disk space. This also applies to portable computers, and home computers. All open paper data should be stored in a locked storage facility (e.g. filing cabinet) in a locked room/building. This might require some pruning of paper data. - 2 -

Open data taken off-site must be secure. This involves code-word protection of off-site disk space, the use of locked storage space, and the prevention of casual viewing by others. In particular steps must be taken to prevent access to the data during transportation. Open data must not be discussed in a way that can be overheard, such that individuals can be identified. It must not be left around for others to read on desks or on printers. All electronic mail that discusses identifiable individuals must be treated as open data, codeword protected and sent only to known addressees. Data should not be sent to countries that are not recognised by the Act (see the Act web site). The acquisition of data When acquiring open data it is imperative that informed consent is obtained for all of the possible future uses of the data. If staff work involves additional disposal of the data, separate consent should be obtained. It is important to be clear that the principles of Data Protection do not mean that staff cannot do things with personal data such as publish it in College publications, talk about it at conferences and meetings (even with reference to named individuals). It just means that before doing these things the written informed consent of the individuals involved must be obtained. The registration of data Under the terms of the act all of the open data acquired and kept by the College needs to be registered. In practical term this means that it is stored in College secure files and College Members personal files and afforded the appropriate degree of security. Requests to Access Open Data Under the terms of the Act individuals on whom data is kept have the right to access that data. For this reason the above guidelines on the security of data must be adhered to. In the event of a request for access to data, the member of staff concerned should: Be aware that deception may be used to obtain information. Note that telephone requests for information should rarely if ever be complied with. Establish the identity of a person requiring disclosure before responding. Confirm that they do indeed possess data on that individual. Consult with one of the data protection officers if in doubt before making any disclosure. - 3 -

Ensure that the request is made in writing. Keep a record of any routine and non-routine disclosures. Record the person who made the disclosure and authorised it and the person requesting the data and the reasons for making the disclosure in the appropriate Personal File. The date and time must also be recorded. Loss of data Guidelines for the loss of data are at Appendix 1. April 2002-4 -

Appendix 1 NOTIFICATION OF COMPLIANCE WITH 2001 DATA PROTECTION ACT Name: Position: This is to confirm that the terms of 2001 Data Protection Act have been communicated to me and that I am, and will continue to be, compliant with the Act in the normal conduct of my duties I am aware of, and will implement, the appropriate procedures regarding access to data and loss of data should the circumstances arise. I confirm that if, for any reason, I am unable to continue complying with the Act, I will inform the College DPO immediately. Signed Date - 5 -

Appendix 2 Action in the Event of Lost or Stolen Data The first action should be for the DPO or his/her deputy to be informed about the loss. He/she will immediately take charge of the situation and establish as far as is possible what data has been lost or stolen and the associated circumstances. Risk Assessment A preliminary assessment of the risks to individuals and organisations should be undertaken to scope necessary action: Does the data contain information about people? On the personnel front data may contain information about College staff and permanent members, visiting fellows and non-college employees, third parties, contacts and mailing lists, visitors (possibly high profile) and referees. Has business data been lost? Data may contain information about organisational issues and structures, contractual arrangements, strategic planning activities, security procedures, research issues, including progress and intellectual property rights, accommodation plans and financial matters. The key issues to be determined are: If data has been stolen, what damage could be caused by its illegal use? If information about identifiable people has been lost should the individuals be informed? If data about external organisations has been lost is there a risk to their business? In this event, what embarrassment and impact on relationships might be caused? Can the data be reconstructed from back-ups etc. Notifications Consideration needs to be given to contacting the individuals or agencies concerned. Data subjects should only be contacted once a full investigation and impact assessment has been completed. College members may need to be informed if personnel data is lost. Third parties may also need to be informed. - 6 -

Recovery Recovery from a loss will be high priority. Sound backup, and effective backup storage security will of course ensure that this can be done effectively and quickly. Review of Security A review of both physical and IT security arrangements may be necessary not only to ensure that further problems will not arise, but also to establish lessons that might be productively passed on to other Colleges. - 7 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback