SALSC_Data_Protection_Policy
-
Upload
oliver-barsby -
Category
Documents
-
view
219 -
download
3
description
Transcript of SALSC_Data_Protection_Policy
Data Protection Policy
Data Protection Policy Page 2 of 11
Page 2 of 11
Ratified at 06/04/10 Board Meeting
CONTENTS
Section 1: Principles of Data Protection
Manual Data
The Rights of Individuals
Section 2: Managing Personnel Records
Managing Data Protection
Collecting and Keeping General Records
Security
Sickness and Accident Records
Equal Opportunities Monitoring
Marketing
Fraud Detection
Individuals‟ Access to Information about Themselves
References
Disclosure Requests
Publication and Other Disclosures
Mergers and Acquisitions
Discipline, Grievance and Dismissal
Outsourcing Data Protection
Retention of Records
Data Protection Policy Page 3 of 11
Page 3 of 11
Ratified at 06/04/10 Board Meeting
SECTION 1: PRINCIPLES OF DATA PROTECTION
1.1 SALSC must ensure that:
(a) They have obtained data fairly and lawfully: SALSC will put its name on all paperwork and
will state what the information is to be used for and if necessary who will receive the data.
(b) They hold data only for specific and lawful purposes: SALSC will ensure that data to be used
for direct marketing purposes will be done with the permission of the data subjects and the
third party will be asked to sign a declaration form stating how data is to be used. In addition
they will be asked to agree not to copy the data for further use.
(c) Data held is relevant, adequate and not excessive for it‟s purpose: SALSC will monitor the
quantities of data held for their business purposes and ensure that we hold neither too much, or
too little data in respect of the individuals about whom the data is held.
(d) Data held is accurate and up to date: All errors must be rectified as soon as SALSC becomes
aware of an error. On written request SALSC can provide its members with a copy of their
data once a year for information and updating where relevant. All records are then amended
accordingly.
(e) Data is not kept longer than necessary: All financial data will be held for seven years and then
destroyed. All personal data will be removed from the system after one year of non-
membership has lapsed.
(f) Data is secure: SALSC must ensure that it has adequate security precautions in place to prevent
loss, destruction or unauthorised disclosures of the data. All SALSC computers have a log on
system, which allows only authorised personnel to access the personal data. All personal,
financial and child protection data is kept in a filing cabinet and can only be accessed by the
CEO and/or Chair. When SALSC individuals are using laptop computers out of the office care
should always be taken to ensure that personal data on screen is not visible to strangers.
(g) Prevention of the accidental loss or theft of personal data: SALSC automatically backs-up all
data held. The back-up is held securely.
(h) Transfer of data: All personal data held by SALSC must not be transferred outside the
European Economic Area, unless that country or territory ensures an adequate level of
protection for the rights and freedoms of data subjects in relation to the processing of personal
data.
Manual Data
1.2 All membership forms are filed and are located within SALSC office premises. These files are
cleared on an annual basis but Bankers Order forms are archived and kept for the duration of the
membership.
The Rights of Individuals
1.3 All individuals for whom SALSC holds data have the right to:
(a) Be informed upon request of all the information held about them within 40 days
Data Protection Policy Page 4 of 11
Page 4 of 11
Ratified at 06/04/10 Board Meeting
(b) Prevent the processing of their data for direct marketing purposes
(c) Compensation if they can show that they have been caused damage by any contravention of the
Act.
(d) The removal or correction of any inaccurate data about them.
1.4 SALSC has the right to charge a fee (as determined by the Board of Directors) for this service.
Data Protection Policy Page 5 of 11
Page 5 of 11
Ratified at 06/04/10 Board Meeting
SECTION 2: MANAGING PERSONNEL RECORDS
2.1 It is the role of the CEO and Chair to administer the Data Protection Act requirements for
SALSC.
Managing Data Protection
2.2 SALSC observes the following key action points:
(a) The Chair shall be responsible for ensuring that employment practices and procedures comply
with the Act and for ensuring that they continue to do so.
(b) SALSC will ensure that people who process information about individuals understand their
own responsibility for data protection compliance and if necessary amend their working
practices in the light of this.
(c) SALSC will assess what personal data about individuals are in existence and who is
responsible for them.
(d) SALSC will eliminate the collection of personal data that are irrelevant or excessive. If
sensitive data are collected ensure that a sensitive data condition is satisfied.
(e) SALSC will ensure that individuals are aware of the extent to which they can be criminally
liable if they knowingly or recklessly disclose personal data outside SALSC‟s policies and
procedures. Serious breaches of data protection rules are a disciplinary offence.
(f) SALSC will allocate responsibility for checking that your organisation has a valid notification
in the register of data controllers that relates to the processing of personal data about
individuals, unless it is exempt from notification.
(g) SALSC will consult trade unions or other individuals‟ representatives, if any, or individuals
themselves over the development and implementation of employment practices and procedures
that involve the processing of individuals‟ data.
Collecting and Keeping General Records
2.3 SALSC observes the following key action points:
(a) SALSC will ensure that newly appointed individuals are aware of the nature and source of any
information stored about them, how it will be used and whom it will be disclosed to;
(b) SALSC shall inform new individuals and remind existing individuals about their rights under
the Act, including their right of access to the information kept upon them;
(c) SALSC will ensure that there is a clear and foreseeable need for any information collected
from individuals and that the information collected actually meets that need;
(d) On request, SALSC will provide each individual with a copy of information that may be
subject to change, e.g. personal details such as home address, annually or allow individuals to
view this on-line. Individuals may be asked to check their records for accuracy and ensure any
necessary amendments are made to bring records up-to-date;
Data Protection Policy Page 6 of 11
Page 6 of 11
Ratified at 06/04/10 Board Meeting
(e) SALSC will incorporate accuracy, consistency and validity checks into systems.
Security
2.4 SALSC observes the following key action points:
(a) SALSC will apply security standards that take account of the risks of unauthorised access to,
accidental loss of, destruction of, or damage to records;
(b) SALSC will institute a system of secure cabinet‟s, access controls and passwords to ensure that
individuals can only gain access to records where they have a legitimate business need to do
so;
(c) SALSC will use the audit trail capabilities of automated systems to track access and
amendments to personal data;
(d) SALSC will take steps to ensure the reliability of individuals that have access to individuals‟
records. This is not just a matter of carrying out background checks, it shall also include
training and ensuring that individuals understand their responsibilities for confidential or
sensitive information. SALSC will ensure confidentiality clauses are placed in all contracts of
employment;
(e) SALSC will ensure that if records are taken off-site, e.g. on laptop computers, this is
controlled, making sure only the necessary information is taken and there are security rules for
individuals to follow;
(f) SALSC will take account of the risks of transmitting confidential individual information by fax
or e-mail. SALSC will only transmit information between locations if a secure network or
comparable arrangements are in place.
Sickness and Accident Records
2.5 SALSC observes the following key action points:
(a) The Chair will keep sickness and accident records in separate folders from absence records.
SALSC will not use sickness records for a particular purpose when records of absence could be
used instead.
(b) SALSC will ensure that the holding and use of sickness and accident records satisfies a
sensitive data condition.
(c) SALSC will only disclose information from sickness or accident records about an individual‟s
illness, medical condition or injury where there is a legal obligation to do so, where it is
necessary for legal proceedings or where the individual has given explicit consent to the
disclosure.
(d) SALSC will not make the sickness, accident or absence records of specific individuals
available to other individuals with information about those who work for them in so far as this
is necessary for them to carry out their managerial roles.
Data Protection Policy Page 7 of 11
Page 7 of 11
Ratified at 06/04/10 Board Meeting
Equal Opportunities Monitoring
2.6 SALSC observes the following key action points:
(a) Information about an individual‟s ethnic origin, disability or religion is sensitive personal data.
SALSC will ensure that equal opportunities monitoring of these characteristics satisfies a
sensitive data condition;
(b) SALSC will only use information that identifies an individual where this is necessary to carry
out meaningful equal opportunities monitoring. Where practicable, SALSC will keep the
information collected in an anonymous form;
(c) SALSC will ensure questions are designed so that the personal information collected through
them is accurate and not excessive.
Marketing
2.7 SALSC observes the following key action points:
(a) SALSC will inform new individuals if it intends to use their personal information to deliver
advertising or marketing messages to them. SALSC shall give individuals a clear opportunity
to object (an „opt-out‟) and respect any objections whenever received;
(b) SALSC will not disclose individuals‟ details to other organisations for their marketing unless
individuals have positively and freely indicated their agreement (an „opt-in‟);
(c) SALSC will ensure that if the association intends to use details of existing individuals for
marketing for the first time either in ways that were not explained when they first joined or that
they would not expect, do not proceed until individuals have positively and freely indicated
their agreement (an „opt-in‟).
Fraud Detection
2.8 SALSC observes the following key action points:
(a) SALSC will consult trade unions or other individual representatives, if any, or individuals
themselves before starting a data matching exercise. SALSC will act on any legitimate
concerns raised in consultation before starting the exercise;
(b) SALSC will inform new individuals of the use of payroll or other data in fraud prevention
exercises and remind them of this periodically;
(c) SALSC will not disclose individual data to other organisations for the prevention or detection
of fraud unless:
i. Required by law to make the disclosure, or
ii. SALSC believes that failure to disclose, in a particular instance, is likely to prejudice
the prevention or detection of crime, or
iii. The disclosure is provided for in an individuals‟ contract of employment.
Data Protection Policy Page 8 of 11
Page 8 of 11
Ratified at 06/04/10 Board Meeting
Individuals’ Access to Information about Themselves
2.9 SALSC observes the following key action points:
(a) SALSC will establish a system that enables the Chair to recognise a subject access request and
to locate all the information about an individual in order to be able to respond promptly and in
any case within 40 calendar days of receiving a request;
(b) SALSC will check the identity of anyone making a subject access request to ensure
information is only given to the person entitled to it;
(c) SALSC will provide the individual with a hard copy of the information kept, making clear any
codes used and the sources of the information;
(d) SALSC will make a judgement as to what information is reasonable to withhold concerning
the identities of third parties using the guidelines given later in this Policy;
(e) SALSC will inform relevant people in the organisation of the nature of information that will be
released to individuals who make subject access requests;
(f) SALSC will ensure that on request, promptly and in any event within 40 calendar days,
individuals are provided with a statement of how any automated decision-making process, to
which they are subject, is used, and how it works;
(g) When purchasing a computerised system SALSC will ensure that the system enables SALSC
to retrieve all the information relating to an individual without difficulty. SALSC will ensure
that the supplier of a system used to take automated decisions about individuals provides the
information needed to enable full responses to requests for information about how the system
works.
References
2.10 SALSC observes the following key action points about references given:
(a) SALSC will not provide confidential references about an individual unless you are sure that
this is the individual's wish;
(b) SALSC will establish at the time an individual‟s employment ends, whether or not the
individual wishes references to be provided to future employers or to others.
2.11 SALSC observes the following key action point about references received:
(a) When responding to a request from an individual to see his or her own reference and the
reference enables a third party to be identified, the Chair will make a judgement as to what
information it is reasonable to withhold, using the guidelines given later in this Policy.
Disclosure Requests
2.12 SALSC observes the following key action points:
Data Protection Policy Page 9 of 11
Page 9 of 11
Ratified at 06/04/10 Board Meeting
(a) SALSC will ensure that disclosure decisions that are not covered by clear policy rules are only
taken by individuals who are familiar with the Act and this Policy, and who are able to give the
decision proper consideration;
(b) Unless under a legal obligation to do so, SALSC will only disclose information about an
individual where the Chair concludes that in all circumstances it is fair to do so taking into
account that the duty of fairness is owed primarily to the individual. Where possible SALSC
will take account the individual‟s views and only disclose confidential information if the
individual has clearly agreed;
(c) Where a disclosure is requested in an emergency, SALSC will make a careful decision as to
whether to disclose, considering the nature of the information being requested and the likely
impact on the individual of not providing it;
(d) SALSC will make individuals aware that those seeking information sometimes use deception
to gain access to it. Ensure that they check the legitimacy of any request and the identity and
authority of the person making it;
(e) SALSC will ensure that if the association intends to disclose sensitive personal data, a sensitive
data condition is satisfied;
(f) Where the disclosure would involve a transfer of information about an individual to a country
outside the European Economic Area, SALSC will ensure that there is a proper basis for
making the transfer;
(g) SALSC will inform the individual before or as soon as is practicable after a request has been
received that a non-regular disclosure is to be made, unless prevented by law from doing so, or
unless this would constitute a “tip off” prejudicing a criminal or tax investigation;
(h) SALSC will keep a record of non-regular disclosures. SALSC will regularly check and review
this record to ensure that the requirements of the Act are being satisfied.
Publication and Other Disclosures
2.13 SALSC observes the following key action points:
(a) SALSC will only publish information about individuals where:
i. There is a legal obligation to do so, or
ii. The information is clearly not intrusive, or
iii. The individual has consented to disclosure, or
iv. The information is in a form that does not identify individual individuals.
(b) Where information about individuals is published on the basis of consent, SALSC will ensure
that when the individual gives consent he or she is made aware of the extent of information
that will be published, how it will be published and the implications of this;
Data Protection Policy Page 10 of 11
Page 10 of 11
Ratified at 06/04/10 Board Meeting
(c) SALSC will only supply personal information about individuals to a trade union for its
recruitment purposes if:
i. The trade union is recognised by SALSC,
ii. The information is limited to that necessary to enable a recruitment approach, and
iii. Each individual has been previously told that this will happen and has been given a
clear opportunity to object.
(d) Where individual information is supplied to trade unions in the course of collective bargaining,
SALSC will ensure the information is such that specific individuals cannot be identified.
Mergers and Acquisitions
2.14 SALSC observes the following key action points:
(a) SALSC will ensure, wherever practicable, that information handed over to another
organisation in connection with a prospective acquisition or merger is anonymous;
(b) SALSC will only hand over personal information prior to the final merger or acquisition
decision after securing assurances that it will be used solely for the evaluation of assets and
liabilities, it will be treated in confidence and will not be disclosed to other parties, and it will
be destroyed or returned after use;
(c) SALSC will advise individuals wherever practicable if their employment records are to be
disclosed to another organisation before an acquisition or merger takes place. If the acquisition
or merger proceeds SALSC will make sure individuals are aware of the extent to which their
records are to be transferred to the new employer;
(d) SALSC will ensure that if an individual intends to disclose sensitive personal data a sensitive
personal data condition is satisfied;
(e) Where a merger or acquisition involves a transfer of information about an individual to a
country outside the European Economic Area (EEA) SALSC will ensure that there is a proper
basis for making the transfer;
(f) SALSC will ensure that the records they hold as a result of a merger or acquisition do not
include excessive information, and are accurate and relevant.
Discipline, Grievance and Dismissal
2.15 SALSC observes the following key action points:
(a) The Data Protection Act applies to personal data processed in relation to discipline, grievance
and dismissal proceedings;
(b) SALSC will not access or use information kept about individuals merely because it might have
some relevance to a disciplinary or grievance investigation if access or use would be either:
i. Incompatible with the purpose(s) the information is to be obtained for, or
Data Protection Policy Page 11 of 11
Page 11 of 11
Ratified at 06/04/10 Board Meeting
ii. Disproportionate to the seriousness of the matter under investigation.
(c) SALSC will ensure that there are clear procedures on how "spent" disciplinary warnings are
handled;
(d) SALSC will ensure that when employment is terminated the reason for this is accurately
recorded, and that the record reflects properly what the individual has been told about the
termination.
Outsourcing Data Processing
2.16 SALSC observes the following key action points:
(a) SALSC will ensure that any data processor chosen adopts appropriate security measures both
in terms of the technology it uses and how it is managed;
(b) SALSC will put in place a written contract with any data processor chosen that requires it to
process personal information only on the instructions of the Chair, and to maintain appropriate
security;
(c) Where the use of a data processor would involve a transfer of information about an individual
to a country outside the European Economic Area, SALSC will ensure that there is a proper
basis for making the transfer.
Retention of Records
2.17 SALSC observes the following key action points:
(a) SALSC will establish and adhere to standard retention times for the various categories of
information held on the records of individuals and former individuals. SALSC will base the
retention times on business need taking into account relevant professional guidelines;
(b) SALSC will ensure that any data about individuals is made anonymous where practicable;
(c) If the holding of any information on criminal convictions of individuals is justified, SALSC
will ensure that the information is deleted once the conviction is „spent‟ under the
Rehabilitation of Offenders Act;
(d) SALSC will ensure that records, which are to be disposed of, are securely and effectively
destroyed.