Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Data Protection Policy notes for website

advertisement 
Data Protection Policy notes for website
The following is excerpted from the Spirit Radio Data Protection Policy.
1.1.
For the purposes of this policy, the term “data subject” refers to all
living individuals about whom we hold personal data. A data subject
need not be an Irish national or resident. All data subjects have legal
rights in relation to their personal data.
1.2.
Upon request, the data subject must be told who the data controller is
(in this case Spirit Radio, who the data controller's representative is (in
this case the Data Protection Compliance Manager), the purpose for
which the data is to be processed by us, and the identities of anyone to
whom the data may be disclosed or transferred. Upon request, the
data subject should also be told of their right of access to, and the right
of rectification of, their information and whether replies to questions
asked for the purpose of collection of such information are obligatory.
1.3.
For personal data to be processed lawfully, certain conditions have to
be met before it is collected. These may include, among other things,
requirements that the data subject has consented to the processing, or
that the processing is necessary for the legitimate interest of the data
controller or the party to whom the data is disclosed. When sensitive
personal data is being processed, more than one condition must be
met. In most cases the data subject's explicit consent to the processing
of such data will be required.
1.4.
Personal data may only be processed for the specific purposes notified
to the data subject when the data was first collected or for any other
purposes specifically permitted by the Acts.
1.5.
This means that personal data must not be collected for one purpose
and then used for another. A key test of compatibility is whether the
personal data is used in a way in which the data subject whom
supplied the information would expect it to be used and disclosed.
1.6.
If it becomes necessary to change the purpose for which the data is
processed, the data subject must be informed of the new purpose
before any processing occurs.
1.7.
Personal data should only be collected to the extent that it is required
for the specific purpose notified to the data subject. Any data which is
not necessary for that purpose should not be collected in the first place.
1.8.
Personal data should not be kept longer than is necessary for the
purpose for which it was originally collected. This means that data
should be destroyed or erased from our systems when it is no longer
required. For guidance on how long certain data is likely to be kept
before being destroyed, contact the Data Protection Compliance
Manager.
1.9.
Data must be processed in line with data subjects' rights. Data subjects
have a right to:
(a) Request access to any data held about them by a data controller.
(b) Prevent the processing of their data for direct-marketing purposes.
(c) Ask to have inaccurate data amended.
(d) Prevent processing that is likely to cause damage or distress to
themselves or anyone else.
1.10.
Data subjects should be informed of these rights.
1.11. We must ensure that appropriate security measures are taken against
unlawful or unauthorised processing of personal data, and against the
accidental loss of, or damage to, personal data.
1.12. The Acts requires us to put in place procedures and technologies to
maintain the security of all personal data from the point of collection to
the point of destruction.
1.13. Personal data may only be transferred to a third-party data processor if
he agrees to comply with those procedures and policies and provided
we are satisfied that he has adequate security measures in place.
1.14. A written agreement should be put in place with any third-party data
processor in which he expressly agrees to comply with our procedures
and policies and confirms that he will only process personal data
subject to, and in accordance with, our instructions and that he has and
will maintain and implement adequate security measures in respect of
any personal data disclosed to him.
1.15. Maintaining data security means guaranteeing the confidentiality,
integrity and availability of the personal data, defined as follows:
(a) Confidentiality means that only people who are authorised to use
the data can access it.
(b) Integrity means that personal data should be accurate and suitable
for the purpose for which it is processed.
(c) Availability means that authorised users should be able to access
the data if they need it for authorised purposes. Personal data
should therefore be stored on our central computer system instead
of individual PCs.
1.16. Security procedures include:
(a) Entry controls. Any stranger seen in entry-controlled areas should
be reported.
(b) Secure lockable desks and cupboards. Desks and cupboards
should be kept locked if they hold confidential information of any
kind. (Personal information is always considered confidential.)
(c) Methods of disposal. Paper documents should be shredded.
Floppy disks and CD-ROMs should be physically destroyed when
they are no longer required.
(d) Equipment. Data users should ensure that individual monitors do
not show confidential information to passers-by and that they log
off from their PC when it is left unattended.
1.17. Further examples of security measures include access control,
encryption, anti-virus software, firewalls and automatic locking of
computers during periods of non-use.
2.
2.1.
DIRECT MARKETING
There are specific rules which regulate direct marketing. Accordingly,
a direct marketing campaign, such as by e-mail etc, should not be
undertaken without first having obtained the approval of the Data
Protection Compliance Manager.
3.
3.1.
PROVIDING INFORMATION OVER THE TELEPHONE
Any member of staff dealing with telephone enquiries should be careful
about disclosing any personal information held by us. In particular they
should:
(a) Check the caller's identity to make sure that information is only
given to a person who is entitled to it.
(b) Suggest that the caller put their request in writing if they are not
sure about the caller's identity and where their identity cannot be
checked.
(c) Refer to the Data Protection Compliance Manager for assistance
in difficult situations. No-one should be bullied into disclosing
personal information.
Dealing with Subject Access Requests
18.4.16.1.
A formal request from a data subject for
information that we hold about them must be made in writing. A
fee of up to €6.35 is payable by the data subject for provision of
this information, although we can decide to waive this
requirement.
18.4.16.2.
Any member of staff who receives a written
request should forward it to the Data Protection Compliance
Manager immediately. This is crucial as all such requests must
be complied with within 40 days.
Related documents
Data Protection Policy
Data Protection Policy
Data Protection Policy - West Newcastle Academy
Data Protection Policy - West Newcastle Academy
Privacy statement for met east officials
Privacy statement for met east officials
Data Protection Policy
Data Protection Policy
Data Protection Policy - Witham Fourth District Internal Drainage Board
Data Protection Policy - Witham Fourth District Internal Drainage Board
sdcc-compliance-guidelines
sdcc-compliance-guidelines
DEFINITION OF PERSONAL DATA
DEFINITION OF PERSONAL DATA
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
NORTH NORFOLK DISTRICT COUNCIL DATA PROTECTION POLICY Revised June 2013
NORTH NORFOLK DISTRICT COUNCIL DATA PROTECTION POLICY Revised June 2013
Introduction to Data Processing System
Introduction to Data Processing System
Data Protection and Data Security Policy
Data Protection and Data Security Policy
Sequencing - ibsgsection
Sequencing - ibsgsection
Download
advertisement