Data Protection Policy Overview
- Appoint a Data Controller, i.e a person to be in charge of all aspects of information, including the DPA and FOI Act.
- Audit information systems to find out who holds what data, and why.
- Consider why information is collected and how it is used.
- Issue guidelines for managers about how to gather, store and retrieve data.
- Ensure that all information collected now complies with the Data Protection Act 1998.
- Check the security of information stored.
- Check the transfer of data outside the European Economic Area.
- Check the organisation’s use of automated decision making.
- Review policy and practice in respect of references.
- Review policy for the private use of telephones, email and post.
We operate within current legal frameworks
The DPA implements an EU Directive (the Data Protection Directive 95/46/EC) and both the Act and the Directive aim to give individuals rights in connection with the processing of manual and computerised personal data and on the movement of such data. Statutory provisions concerning data protection are:
- The Human Rights Act 1998
- The Regulation of Investigatory Powers Act 2000 (RIPA)
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699)
- The Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/2905)
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
- The Environmental Information Regulations 2004 (SI 2004/3391)
- The United Kingdom Data Protection (Processing of Sensitive Personal Data) Order 2006 (SI 2006/2068).
The Public Interest Disclosure Act 1998 is not relevant to the protection of data as such, but does protect employees against detrimental treatment or dismissal as a result of any whistleblowing or disclosure of information in the public interest. There is also an underlying common law rule that provides limited protection for confidential information in an employment context, ensuring that information, personal or otherwise, that is given in confidence is neither disclosed nor used for the recipient’s benefit without consent.
Data controllers must comply with certain data protection principles. Those about whom data are processed (data subjects) are also provided with a number of rights. All must take steps to handle, process and store data responsibly and keep up to date with legal developments in this area to ensure data is:
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- not kept for longer than is necessary
- processed in line with your rights
- not transferred to countries outside the EU without adequate protection.
The DPA applies to personal data in computerised, manual or any other format, as long as the data is in a system that allows the information to be readily accessible. Most personnel and employment files will be covered by the DPA. Data controllers must comply with The Employment Practices Code issued with supplementary guidance by the Information Commissioner.
Access to information
If information falls within the DPA, a data subject has a right to request a copy. The request must be in writing, accompanied by sufficient detail to enable the data to be identified and a fee of £10 paid in advance. The information must be supplied within 40 days. An audit of the various filing systems, including private and duplicate systems, will be necessary to enable the 40-day limit to be met.
Together with information on race, religion or belief, union membership, sexual life and crimes, health information is classed as sensitive information by the law. It can only be held with the explicit consent of the individual, which creates problems for holding health records. For new employees consent may be included in their employment contract. Existing employees may be asked to give their consent, but if this is refused the employer still has to make a decision and will have to act on the information supplied to it.
Data subjects may be able to gain access to their references. This depends, however, upon whether the request is made of the organisation providing the reference (usually the previous or current employer) or the organisation requesting the reference (the new or prospective employer). The recipient of a confidential reference can only disclose the reference by complying with the DPA’s confidentiality rules. The referee who has given a confidential reference for employment, self employment or educational purposes can withhold the reference from disclosure, though this only applies where the reference is given in confidence.
Email and the Internet
Monitoring should be as un-intrusive as possible, for example using traffic data rather than accessing the content of an email.
Email communication between you and our staff may be intercepted with both parties’ consent. Email and other online communication may be intercepted without consent:
- To establish facts relating to our service
- Tor quality control or training
- To comply with regulatory or self-regulatory procedures
- For system maintenance
- To detect unauthorised use
- To prevent or detect crime
- For national security purposes.
Sending information abroad
Information may be sent to any country within the European Economic Area or to Hungary or Switzerland. It may be sent to an organisation in the USA if that organisation has signed up to the Safe Harbour Agreement made with the European Union. Otherwise the consent of the employee is needed.
Until further notice the company director, Mark Pellant, will act as the Data Controller. All questions and comments relating to this Data Protection Policy should be addressed to him.
Approved for annual review by Mark Pellant, Company Director, January 2016.