DATA PROTECTION AND PERSONAL INFORMATION MANAGEMENT POLICY
The Data Protection Act: Application and Effect
The Data Protection Act (“DPA”) relates to the handling, processing and the storage of all personal data. It regulates what the person or business holding information (known as the “Data Controller”) can do with the information it holds and what access the person to whom the information relates (known as the “Data Subject”) can do in terms of seeing the information and having it corrected or deleted. The DPA relates to all personal data whether held by the Company electronically or in hardcopy, and covers all processing of those personal data by all staff whether in the office, working at other locations or outside of work.
Personal Data and Sensitive Personal Data
Personal data includes employee information, client related data and any other information relating to a living individual who can be identified using that information either alone or with other information. It includes factual information and also statements of intentions relating to a person.
There is a special category of sensitive personal data and these data are more heavily protected. The category of sensitive personal data is set out in section 2 of the DPA and it includes:
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union,
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Commitment to DPA
It is the intention of the Company to comply with the terms of the Data Protection Act 1998. All staff who process personal data, must ensure that they do so within the terms of the DPA at all times.
DPA: Eight Core Principles
Schedule 1 of the DPA sets out eight principles on how to process personal data under the DPA in dealing with personal data. The eight principles are set out below together with information from the guidance in Part II of Schedule 1 of the DPA on how to interpret them and examples of how they can apply (shown in italics).
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: -
(a) at least one of a set of conditions in Schedule 2 of the DPA is met, and
(b) in the case of sensitive personal data, at least one of a further set of conditions in Schedule 3 of the DPA is also met.
For processing to be fair the Data Subject i.e. client or candidate should be informed at the outset exactly what information is being obtained about them and what we are going to use it for.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Staff should not use personal data held by the Company for its own business purposes for their own private purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.
When obtaining personal data for work purposes, staff should obtain enough information to perform the Company’s obligations properly. Where the Company obtains or holds information from or about clients or third parties that is not relevant to the work the Company is undertaking that information should not be used or disclosed in the performance of the work.
4. Personal data processed shall be accurate and, where necessary, kept up to date.
We require information to be updated if circumstances change.
5. Personal data will only be retained as long as is deemed necessary for that purpose.
6. Personal data shall be processed in accordance with the rights of Data Subjects under this Act.
Data Subjects have a right to see the personal data about them that the Company holds (see below) and in some cases may require information to be deleted, corrected or not processed in certain ways.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The Company has adopted an IT Policy and this is relevant for preventing unauthorised processing of personal data. Access to some personal data held by the Company is restricted to staff with a need to access it (e.g. personnel files). All staff are responsible for taking care in the way in which they deal with personal data and examples include:
1. Not giving out personal contact details of colleagues where a different way of dealing with a
request established to be genuine is available
2. Not leaving files taken out of the office in unsafe locations.
8. Personal data shall not be transferred to a country outside the European Economic Areas unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
If this is relevant to any activity always seek advice from a Director.