SALSC_Data_Protection_Policy

Data Protection Policy

Data Protection Policy of 11

Page 2 of 11

Ratified at 06/04/10 Board Meeting

CONTENTS

Section 1: Principles of Data Protection

Manual Data

The Rights of Individuals

Section 2: Managing Personnel Records

Managing Data Protection

Collecting and Keeping General Records

Security

Sickness and Accident Records

Equal Opportunities Monitoring

Marketing

Fraud Detection

Individuals‟ Access to Information about Themselves

References

Disclosure Requests

Publication and Other Disclosures

Mergers and Acquisitions

Discipline, Grievance and Dismissal

Outsourcing Data Protection

Retention of Records


Page 3 of 11


SECTION 1: PRINCIPLES OF DATA PROTECTION

1.1 SALSC must ensure that:

(a) They have obtained data fairly and lawfully: SALSC will put its name on all paperwork and

will state what the information is to be used for and if necessary who will receive the data.

(b) They hold data only for specific and lawful purposes: SALSC will ensure that data to be used

for direct marketing purposes will be done with the permission of the data subjects and the

third party will be asked to sign a declaration form stating how data is to be used. In addition

they will be asked to agree not to copy the data for further use.

(c) Data held is relevant, adequate and not excessive for it‟s purpose: SALSC will monitor the

quantities of data held for their business purposes and ensure that we hold neither too much, or

too little data in respect of the individuals about whom the data is held.

(d) Data held is accurate and up to date: All errors must be rectified as soon as SALSC becomes

aware of an error. On written request SALSC can provide its members with a copy of their

data once a year for information and updating where relevant. All records are then amended

accordingly.

(e) Data is not kept longer than necessary: All financial data will be held for seven years and then

destroyed. All personal data will be removed from the system after one year of non-

membership has lapsed.

(f) Data is secure: SALSC must ensure that it has adequate security precautions in place to prevent

loss, destruction or unauthorised disclosures of the data. All SALSC computers have a log on

system, which allows only authorised personnel to access the personal data. All personal,

financial and child protection data is kept in a filing cabinet and can only be accessed by the

CEO and/or Chair. When SALSC individuals are using laptop computers out of the office care

should always be taken to ensure that personal data on screen is not visible to strangers.

(g) Prevention of the accidental loss or theft of personal data: SALSC automatically backs-up all

data held. The back-up is held securely.

(h) Transfer of data: All personal data held by SALSC must not be transferred outside the

European Economic Area, unless that country or territory ensures an adequate level of

protection for the rights and freedoms of data subjects in relation to the processing of personal

data.

Manual Data

1.2 All membership forms are filed and are located within SALSC office premises. These files are

cleared on an annual basis but Bankers Order forms are archived and kept for the duration of the

membership.

The Rights of Individuals

1.3 All individuals for whom SALSC holds data have the right to:

(a) Be informed upon request of all the information held about them within 40 days


Page 4 of 11


(b) Prevent the processing of their data for direct marketing purposes

(c) Compensation if they can show that they have been caused damage by any contravention of the

Act.

(d) The removal or correction of any inaccurate data about them.

1.4 SALSC has the right to charge a fee (as determined by the Board of Directors) for this service.


Page 5 of 11


SECTION 2: MANAGING PERSONNEL RECORDS

2.1 It is the role of the CEO and Chair to administer the Data Protection Act requirements for

SALSC.

Managing Data Protection

2.2 SALSC observes the following key action points:

(a) The Chair shall be responsible for ensuring that employment practices and procedures comply

with the Act and for ensuring that they continue to do so.

(b) SALSC will ensure that people who process information about individuals understand their

own responsibility for data protection compliance and if necessary amend their working

practices in the light of this.

(c) SALSC will assess what personal data about individuals are in existence and who is

responsible for them.

(d) SALSC will eliminate the collection of personal data that are irrelevant or excessive. If

sensitive data are collected ensure that a sensitive data condition is satisfied.

(e) SALSC will ensure that individuals are aware of the extent to which they can be criminally

liable if they knowingly or recklessly disclose personal data outside SALSC‟s policies and

procedures. Serious breaches of data protection rules are a disciplinary offence.

(f) SALSC will allocate responsibility for checking that your organisation has a valid notification

in the register of data controllers that relates to the processing of personal data about

individuals, unless it is exempt from notification.

(g) SALSC will consult trade unions or other individuals‟ representatives, if any, or individuals

themselves over the development and implementation of employment practices and procedures

that involve the processing of individuals‟ data.

Collecting and Keeping General Records


(a) SALSC will ensure that newly appointed individuals are aware of the nature and source of any

information stored about them, how it will be used and whom it will be disclosed to;

(b) SALSC shall inform new individuals and remind existing individuals about their rights under

the Act, including their right of access to the information kept upon them;

(c) SALSC will ensure that there is a clear and foreseeable need for any information collected

from individuals and that the information collected actually meets that need;

(d) On request, SALSC will provide each individual with a copy of information that may be

subject to change, e.g. personal details such as home address, annually or allow individuals to

view this on-line. Individuals may be asked to check their records for accuracy and ensure any

necessary amendments are made to bring records up-to-date;


Page 6 of 11


(e) SALSC will incorporate accuracy, consistency and validity checks into systems.

Security


(a) SALSC will apply security standards that take account of the risks of unauthorised access to,

accidental loss of, destruction of, or damage to records;

(b) SALSC will institute a system of secure cabinet‟s, access controls and passwords to ensure that

individuals can only gain access to records where they have a legitimate business need to do

so;

(c) SALSC will use the audit trail capabilities of automated systems to track access and

amendments to personal data;

(d) SALSC will take steps to ensure the reliability of individuals that have access to individuals‟

records. This is not just a matter of carrying out background checks, it shall also include

training and ensuring that individuals understand their responsibilities for confidential or

sensitive information. SALSC will ensure confidentiality clauses are placed in all contracts of

employment;

(e) SALSC will ensure that if records are taken off-site, e.g. on laptop computers, this is

controlled, making sure only the necessary information is taken and there are security rules for

individuals to follow;

(f) SALSC will take account of the risks of transmitting confidential individual information by fax

or e-mail. SALSC will only transmit information between locations if a secure network or

comparable arrangements are in place.

Sickness and Accident Records


(a) The Chair will keep sickness and accident records in separate folders from absence records.

SALSC will not use sickness records for a particular purpose when records of absence could be

used instead.

(b) SALSC will ensure that the holding and use of sickness and accident records satisfies a

sensitive data condition.

(c) SALSC will only disclose information from sickness or accident records about an individual‟s

illness, medical condition or injury where there is a legal obligation to do so, where it is

necessary for legal proceedings or where the individual has given explicit consent to the

disclosure.

(d) SALSC will not make the sickness, accident or absence records of specific individuals

available to other individuals with information about those who work for them in so far as this

is necessary for them to carry out their managerial roles.


Page 7 of 11


Equal Opportunities Monitoring


(a) Information about an individual‟s ethnic origin, disability or religion is sensitive personal data.

SALSC will ensure that equal opportunities monitoring of these characteristics satisfies a

sensitive data condition;

(b) SALSC will only use information that identifies an individual where this is necessary to carry

out meaningful equal opportunities monitoring. Where practicable, SALSC will keep the

information collected in an anonymous form;

(c) SALSC will ensure questions are designed so that the personal information collected through

them is accurate and not excessive.

Marketing


(a) SALSC will inform new individuals if it intends to use their personal information to deliver

advertising or marketing messages to them. SALSC shall give individuals a clear opportunity

to object (an „opt-out‟) and respect any objections whenever received;

(b) SALSC will not disclose individuals‟ details to other organisations for their marketing unless

individuals have positively and freely indicated their agreement (an „opt-in‟);

(c) SALSC will ensure that if the association intends to use details of existing individuals for

marketing for the first time either in ways that were not explained when they first joined or that

they would not expect, do not proceed until individuals have positively and freely indicated

their agreement (an „opt-in‟).

Fraud Detection


(a) SALSC will consult trade unions or other individual representatives, if any, or individuals

themselves before starting a data matching exercise. SALSC will act on any legitimate

concerns raised in consultation before starting the exercise;

(b) SALSC will inform new individuals of the use of payroll or other data in fraud prevention

exercises and remind them of this periodically;

(c) SALSC will not disclose individual data to other organisations for the prevention or detection

of fraud unless:

i. Required by law to make the disclosure, or

ii. SALSC believes that failure to disclose, in a particular instance, is likely to prejudice

the prevention or detection of crime, or

iii. The disclosure is provided for in an individuals‟ contract of employment.


Page 8 of 11


Individuals’ Access to Information about Themselves


(a) SALSC will establish a system that enables the Chair to recognise a subject access request and

to locate all the information about an individual in order to be able to respond promptly and in

any case within 40 calendar days of receiving a request;

(b) SALSC will check the identity of anyone making a subject access request to ensure

information is only given to the person entitled to it;

(c) SALSC will provide the individual with a hard copy of the information kept, making clear any

codes used and the sources of the information;

(d) SALSC will make a judgement as to what information is reasonable to withhold concerning

the identities of third parties using the guidelines given later in this Policy;

(e) SALSC will inform relevant people in the organisation of the nature of information that will be

released to individuals who make subject access requests;

(f) SALSC will ensure that on request, promptly and in any event within 40 calendar days,

individuals are provided with a statement of how any automated decision-making process, to

which they are subject, is used, and how it works;

(g) When purchasing a computerised system SALSC will ensure that the system enables SALSC

to retrieve all the information relating to an individual without difficulty. SALSC will ensure

that the supplier of a system used to take automated decisions about individuals provides the

information needed to enable full responses to requests for information about how the system

works.

References

2.10 SALSC observes the following key action points about references given:

(a) SALSC will not provide confidential references about an individual unless you are sure that

this is the individual's wish;

(b) SALSC will establish at the time an individual‟s employment ends, whether or not the

individual wishes references to be provided to future employers or to others.

2.11 SALSC observes the following key action point about references received:

(a) When responding to a request from an individual to see his or her own reference and the

reference enables a third party to be identified, the Chair will make a judgement as to what

information it is reasonable to withhold, using the guidelines given later in this Policy.

Disclosure Requests



Page 9 of 11


(a) SALSC will ensure that disclosure decisions that are not covered by clear policy rules are only

taken by individuals who are familiar with the Act and this Policy, and who are able to give the

decision proper consideration;

(b) Unless under a legal obligation to do so, SALSC will only disclose information about an

individual where the Chair concludes that in all circumstances it is fair to do so taking into

account that the duty of fairness is owed primarily to the individual. Where possible SALSC

will take account the individual‟s views and only disclose confidential information if the

individual has clearly agreed;

(c) Where a disclosure is requested in an emergency, SALSC will make a careful decision as to

whether to disclose, considering the nature of the information being requested and the likely

impact on the individual of not providing it;

(d) SALSC will make individuals aware that those seeking information sometimes use deception

to gain access to it. Ensure that they check the legitimacy of any request and the identity and

authority of the person making it;

(e) SALSC will ensure that if the association intends to disclose sensitive personal data, a sensitive

data condition is satisfied;

(f) Where the disclosure would involve a transfer of information about an individual to a country

outside the European Economic Area, SALSC will ensure that there is a proper basis for

making the transfer;

(g) SALSC will inform the individual before or as soon as is practicable after a request has been

received that a non-regular disclosure is to be made, unless prevented by law from doing so, or

unless this would constitute a “tip off” prejudicing a criminal or tax investigation;

(h) SALSC will keep a record of non-regular disclosures. SALSC will regularly check and review

this record to ensure that the requirements of the Act are being satisfied.

Publication and Other Disclosures


(a) SALSC will only publish information about individuals where:

i. There is a legal obligation to do so, or

ii. The information is clearly not intrusive, or

iii. The individual has consented to disclosure, or

iv. The information is in a form that does not identify individual individuals.

(b) Where information about individuals is published on the basis of consent, SALSC will ensure

that when the individual gives consent he or she is made aware of the extent of information

that will be published, how it will be published and the implications of this;


Page 10 of 11


(c) SALSC will only supply personal information about individuals to a trade union for its

recruitment purposes if:

i. The trade union is recognised by SALSC,

ii. The information is limited to that necessary to enable a recruitment approach, and

iii. Each individual has been previously told that this will happen and has been given a

clear opportunity to object.

(d) Where individual information is supplied to trade unions in the course of collective bargaining,

SALSC will ensure the information is such that specific individuals cannot be identified.

Mergers and Acquisitions


(a) SALSC will ensure, wherever practicable, that information handed over to another

organisation in connection with a prospective acquisition or merger is anonymous;

(b) SALSC will only hand over personal information prior to the final merger or acquisition

decision after securing assurances that it will be used solely for the evaluation of assets and

liabilities, it will be treated in confidence and will not be disclosed to other parties, and it will

be destroyed or returned after use;

(c) SALSC will advise individuals wherever practicable if their employment records are to be

disclosed to another organisation before an acquisition or merger takes place. If the acquisition

or merger proceeds SALSC will make sure individuals are aware of the extent to which their

records are to be transferred to the new employer;

(d) SALSC will ensure that if an individual intends to disclose sensitive personal data a sensitive

personal data condition is satisfied;

(e) Where a merger or acquisition involves a transfer of information about an individual to a

country outside the European Economic Area (EEA) SALSC will ensure that there is a proper

basis for making the transfer;

(f) SALSC will ensure that the records they hold as a result of a merger or acquisition do not

include excessive information, and are accurate and relevant.

Discipline, Grievance and Dismissal


(a) The Data Protection Act applies to personal data processed in relation to discipline, grievance

and dismissal proceedings;

(b) SALSC will not access or use information kept about individuals merely because it might have

some relevance to a disciplinary or grievance investigation if access or use would be either:

i. Incompatible with the purpose(s) the information is to be obtained for, or


Page 11 of 11


ii. Disproportionate to the seriousness of the matter under investigation.

(c) SALSC will ensure that there are clear procedures on how "spent" disciplinary warnings are

handled;

(d) SALSC will ensure that when employment is terminated the reason for this is accurately

recorded, and that the record reflects properly what the individual has been told about the

termination.

Outsourcing Data Processing


(a) SALSC will ensure that any data processor chosen adopts appropriate security measures both

in terms of the technology it uses and how it is managed;

(b) SALSC will put in place a written contract with any data processor chosen that requires it to

process personal information only on the instructions of the Chair, and to maintain appropriate

security;

(c) Where the use of a data processor would involve a transfer of information about an individual

to a country outside the European Economic Area, SALSC will ensure that there is a proper

basis for making the transfer.

Retention of Records


(a) SALSC will establish and adhere to standard retention times for the various categories of

information held on the records of individuals and former individuals. SALSC will base the

retention times on business need taking into account relevant professional guidelines;

(b) SALSC will ensure that any data about individuals is made anonymous where practicable;

(c) If the holding of any information on criminal convictions of individuals is justified, SALSC

will ensure that the information is deleted once the conviction is „spent‟ under the

Rehabilitation of Offenders Act;

(d) SALSC will ensure that records, which are to be disposed of, are securely and effectively

destroyed.

SALSC_Data_Protection_Policy

Documents

Transcript of SALSC_Data_Protection_Policy