Page 1 of 3 DATA PROTECTION ACT – PROCESSING DATA Applies to: All Staff PR-HR-314 Prepared by: Corporate Uncontrolled if printed Approved by: HR Manager 1 Reissue Date: Dec 13 Rev:1.2 Review Date: Dec 16 PURPOSE To state the requirements and measures necessary for protecting data in electronic and manual form so that each company, and its staff comply with the requirements of the Data Protection Act 1998. 2 SCOPE These briefing notes apply to the procedures used for collecting, maintaining, protecting, accessing, disclosing and disposing of personal data. This includes: 3 a) Data held on any central computer server; b) Data held on any desk top personal computer or similar automatic device; c) Data held and processed by any bureau or sub-contractor; d) Data held on separate magnetic media such as floppy disks, cassettes, exchangeable discs, telecommunications devices, CD Roms and tapes; e) Computer output on paper, fiche or similar media; f) Manual data in structured files. DEFINITION For the purposes of the Data Protection Act: Personal Data: Personal Data is data which relates to a living individual who can be identified either from that data alone or from that data and any other information in the Company’s possession, or which is likely to come into its possession. It also includes any expression of opinion about the individual and any information regarding the intentions of data processor towards the individual both singly and in combination with other information. Sensitive Personal Data: There are conditions which must be met for processing sensitive data which are contained in Procedure PR-HR312 (Lawful Processing). Sensitive data is personal data that consists of information relating to a data subject’s: 4 Racial and ethnic origin; Political opinions; Physical or mental health or condition; Sexual life; Commission or alleged commission of offences; Court proceedings, disposal of such proceedings or sentencing in such proceedings; Religious or other beliefs; and Trade union membership PROCEDURES 4.1 Collection a) The Company must ensure that all personal data collected for input to a computer system and manual records into a relevant filing system is accurate, complete and not excessive in relation to the purpose(s) for which they are processed. Document Template FO-QA-801 Rev.1.0 Issued By: Compliance Manager Issue Date: May 11 Page 2 of 3 DATA PROTECTION ACT – PROCESSING DATA Applies to: All Staff PR-HR-314 b) If information has been received from the data subject or from someone outside the Company, a note must be added to the information identifying its source. All reasonable measures should be taken to verify the accuracy of the information. c) Where documents are used, these must be safely transferred to the input location in order to ensure that the security and safety of personal data is enforced at all times using appropriate technical and organisational measures. d) When personal data is obtained the rights of the data subject must be protected. e) Only relevant and adequate personal data should be collected, excessive items of data should be avoided. 4.2 Maintenance a) All data should be maintained in an accurate and current state. b) Where inaccuracies are identified, corrections should be applied immediately and a note made as to how accurate information came about. c) All personal data should continue to be relevant and not excessive or retained for longer than necessary. 4.3 Protection a) Computer equipment or other media holding data should be protected from unauthorised or unlawful processing and from accidental loss or destruction of or damage to personal data. b) Where information is held on magnetic media, security copies should be maintained and stored in a safe location separately from the equipment. Access to this data must be subject to written authorisation. c) Magnetic or other media holding personal data being transferred between locations should be protected from access and loss using appropriate technical and organisation measures. d) The reliability and security of any outside data processors should be checked before awarding any contract to them and providing personal data. The performance of the processors should also be monitored regularly to ensure compliance and security. 4.4 Access a) Authorisation procedures must ensure that access is restricted to staff who require access to personal data for the discharge of their duties. b) Where terminals are used, appropriate security systems such as badges and passwords should be used and passwords should be changed regularly. c) Terminals should be located so that only the user can access the information. Standard screensaver passwords should be used to minimise risks of unauthorised viewing. d) Access to manually held personal data must be restricted to minimise the risk of unauthorised or accidental disclosure. 4.5 Disclosure a) Procedures should ensure that personal data is only disclosed to the individual concerned or to third parties in other clearly authorised circumstances. (Refer to PR-HR-311). b) Personal data should not be transferred to a country or territory outside the European Economic Area unless that country or territory can ensure an adequate level of protection and security of the personal data and the subjects. 4.6 Disposal a) Data should only be held for the period required by its specific purpose and not retained for an excessive time. Document Template FO-QA-801 Rev.1.0 Issued By: Compliance Manager First Issue Date: May 11 Review Date: May 14 Page 3 of 3 DATA PROTECTION ACT – PROCESSING DATA Applies to: All Staff 5 PR-HR-314 b) All personal data held on tapes, disks, CD Roms or other magnetic media should be positively deleted and cleaned before they are re-used or new data is written over the old. There must be no possibility of the old personal data reaching somebody who is not authorised to receive it. c) All out of date data, irrespective of the media on which they are held must be securely destroyed. IMPLEMENTATION The HR Manager is the responsible person and is required to: a) Review existing procedures involving the use of personal data to ensure that they comply with the provisions of the Data Protection Act. b) Ensure adequate training and dissemination of information to the employees of the Company in relation to these Guidelines and the requirements of the Data Protection Act. c) Review the access controls to areas where personal data is stored or accessed both during working hours and at other periods to ensure the necessary level of security is in force. d) Review the location of video terminals and desktop computers to ensure that information displayed is not visible to unauthorised persons, either members of staff or of the public. e) Develop and maintain data security procedures for the Company. Document Template FO-QA-801 Rev.1.0 Issued By: Compliance Manager First Issue Date: May 11 Review Date: May 14