Data Protection Act Processing Data

advertisement
Page 1 of 3
DATA PROTECTION ACT –
PROCESSING DATA
Applies to:
All Staff
PR-HR-314
Prepared by: Corporate
Uncontrolled if printed
Approved by: HR Manager
1
Reissue Date: Dec 13
Rev:1.2
Review Date: Dec 16
PURPOSE
To state the requirements and measures necessary for protecting data in electronic and manual form so that each
company, and its staff comply with the requirements of the Data Protection Act 1998.
2
SCOPE
These briefing notes apply to the procedures used for collecting, maintaining, protecting, accessing, disclosing and
disposing of personal data. This includes:
3
a)
Data held on any central computer server;
b)
Data held on any desk top personal computer or similar automatic device;
c)
Data held and processed by any bureau or sub-contractor;
d)
Data held on separate magnetic media such as floppy disks, cassettes, exchangeable discs,
telecommunications devices, CD Roms and tapes;
e)
Computer output on paper, fiche or similar media;
f)
Manual data in structured files.
DEFINITION
For the purposes of the Data Protection Act:
Personal Data:
Personal Data is data which relates to a living individual who can be identified either from that data alone or from
that data and any other information in the Company’s possession, or which is likely to come into its possession. It
also includes any expression of opinion about the individual and any information regarding the intentions of data
processor towards the individual both singly and in combination with other information.
Sensitive Personal Data:
There are conditions which must be met for processing sensitive data which are contained in Procedure PR-HR312 (Lawful Processing). Sensitive data is personal data that consists of information relating to a data subject’s:
4

Racial and ethnic origin;

Political opinions;

Physical or mental health or condition;

Sexual life;

Commission or alleged commission of offences;

Court proceedings, disposal of such proceedings or sentencing in such proceedings;

Religious or other beliefs; and

Trade union membership
PROCEDURES
4.1 Collection
a)
The Company must ensure that all personal data collected for input to a computer system and manual
records into a relevant filing system is accurate, complete and not excessive in relation to the
purpose(s) for which they are processed.
Document Template FO-QA-801
Rev.1.0
Issued By: Compliance Manager
Issue Date: May 11
Page 2 of 3
DATA PROTECTION ACT –
PROCESSING DATA
Applies to:
All Staff
PR-HR-314
b)
If information has been received from the data subject or from someone outside the Company, a note
must be added to the information identifying its source. All reasonable measures should be taken to
verify the accuracy of the information.
c)
Where documents are used, these must be safely transferred to the input location in order to ensure
that the security and safety of personal data is enforced at all times using appropriate technical and
organisational measures.
d)
When personal data is obtained the rights of the data subject must be protected.
e)
Only relevant and adequate personal data should be collected, excessive items of data should be
avoided.
4.2 Maintenance
a)
All data should be maintained in an accurate and current state.
b)
Where inaccuracies are identified, corrections should be applied immediately and a note made as to
how accurate information came about.
c)
All personal data should continue to be relevant and not excessive or retained for longer than
necessary.
4.3 Protection
a)
Computer equipment or other media holding data should be protected from unauthorised or unlawful
processing and from accidental loss or destruction of or damage to personal data.
b)
Where information is held on magnetic media, security copies should be maintained and stored in a
safe location separately from the equipment. Access to this data must be subject to written
authorisation.
c)
Magnetic or other media holding personal data being transferred between locations should be
protected from access and loss using appropriate technical and organisation measures.
d)
The reliability and security of any outside data processors should be checked before awarding any
contract to them and providing personal data. The performance of the processors should also be
monitored regularly to ensure compliance and security.
4.4 Access
a)
Authorisation procedures must ensure that access is restricted to staff who require access to personal
data for the discharge of their duties.
b)
Where terminals are used, appropriate security systems such as badges and passwords should be
used and passwords should be changed regularly.
c)
Terminals should be located so that only the user can access the information. Standard screensaver
passwords should be used to minimise risks of unauthorised viewing.
d)
Access to manually held personal data must be restricted to minimise the risk of unauthorised or
accidental disclosure.
4.5 Disclosure
a)
Procedures should ensure that personal data is only disclosed to the individual concerned or to third
parties in other clearly authorised circumstances. (Refer to PR-HR-311).
b)
Personal data should not be transferred to a country or territory outside the European Economic Area
unless that country or territory can ensure an adequate level of protection and security of the personal
data and the subjects.
4.6 Disposal
a)
Data should only be held for the period required by its specific purpose and not retained for an
excessive time.
Document Template FO-QA-801
Rev.1.0
Issued By: Compliance Manager
First Issue Date: May 11
Review Date: May 14
Page 3 of 3
DATA PROTECTION ACT –
PROCESSING DATA
Applies to:
All Staff
5
PR-HR-314
b)
All personal data held on tapes, disks, CD Roms or other magnetic media should be positively deleted
and cleaned before they are re-used or new data is written over the old. There must be no possibility
of the old personal data reaching somebody who is not authorised to receive it.
c)
All out of date data, irrespective of the media on which they are held must be securely destroyed.
IMPLEMENTATION
The HR Manager is the responsible person and is required to:
a)
Review existing procedures involving the use of personal data to ensure that they comply with the
provisions of the Data Protection Act.
b)
Ensure adequate training and dissemination of information to the employees of the Company in
relation to these Guidelines and the requirements of the Data Protection Act.
c)
Review the access controls to areas where personal data is stored or accessed both during working
hours and at other periods to ensure the necessary level of security is in force.
d)
Review the location of video terminals and desktop computers to ensure that information displayed is
not visible to unauthorised persons, either members of staff or of the public.
e)
Develop and maintain data security procedures for the Company.
Document Template FO-QA-801
Rev.1.0
Issued By: Compliance Manager
First Issue Date: May 11
Review Date: May 14
Download