European College of Business and Management Data Protection Policy

Similar documents
Data Protection Act 1998 Policy

DATA PROTECTION POLICY STATUTORY

Data Protection Policy

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Access to Personal Information Procedure

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Charities & Not-for-Profits Overview of Data Protection Law

Staff Data Protection Policy

Port Glasgow St Andrew s Data Protection Policy

Data Protection Policy

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

BACKGROUND INFORMATION

DATA SHARING AND PROCESSING

Data Protection. Policy & Procedure. Greater Manchester Police

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Data Protection Act 1998

CCTV CODE OF PRACTICE

A closed circuit television system is used at the Memorial Hall by the Parish Council.

ARTICLE 29 Data Protection Working Party

- and - OPINION. Reasons

The installation of CCTV can provide information on activities at the Water,

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Data Protection Bill [HL]

Data Protection Policy

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

SUBJECT ACCESS REQUEST

The Freedom of Information (Jersey) Law, 2011

How we use Personal Information

Data Protection Policy and Procedure

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Data Protection Policy

Privacy. Purpose. Scope. Policy. Appendix A

OTrack Data Processing Terms

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

DATA PROTECTION (JERSEY) LAW 2005

DATA PROTECTION (JERSEY) LAW 2005 CODE OF PRACTICE & GUIDANCE ON THE USE OF CCTV GD6

Data Protection. Guidance for Schools

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

AIA Australia Limited

Memorandum of Understanding. between. HM Land Registry. and. Solicitors Regulation Authority (SRA)

Law Enforcement processing (Part 3 of the DPA 2018)

APPENDIX. 1. The Equipment Interference Regime which is relevant to the activities of GCHQ principally derives from the following statutes:

Schools Subject Access Request Procedures

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Data Protection Bill [HL]

Telekom Austria Group Standard Data Processing Agreement

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Data Protection Policy. Malta Gaming Authority

Freedom of Information Act 2000 (Section 50) Decision Notice

Brussels, 16 May 2006 (Case ) 1. Procedure

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Freedom of Information Act 2000 (FOIA) Decision notice

Saturday, 7 November 15

INFORMATION SHARING AGREEMENT This document is NOT PROTECTIVELY MARKED

THE DATA PROTECTION PRINCIPLES

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

Version No. Date Amendments made Authorised by N/A ACC Hamilton (PSNI)

Park View Primary School

CSCU9Q5. Data Protection and Freedom of Information Acts

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

Disciplinary Policy and Procedure

The position you have applied for is exempt from the Rehabilitation of Offenders Act 1974 (as amended in England and Wales).

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Individual Rights (Data Privacy) Policy

to the Government Gazette of Mauritius No. 14 of 14 February 2009

Antrobus Parish Council Personal Data Management and Audit Policy 1

How we use Personal Information

PRIVACY MANAGEMENT PLAN

16 March Purpose & Introduction

General Data Protection Regulation

North Yorkshire County Council. Subject Access Request Guidance and Procedure. Data Protection Act 1998

Data protection and journalism: a guide for the media

Data Protection Policy

Human Resources People and Organisational Development. Disclosure and Barring Service (DBS) Checks Guidelines for Managers and Employees

MEMORANDUM OF UNDERSTANDING

LAW OF THE REPUBLIC OF ARMENIA ON PROTECTION OF PERSONAL DATA CHAPTER 1 GENERAL PROVISIONS

Decision 106/2012 Dr Nick McKerrell and Glasgow Caledonian University

DISCLOSURE POLICY. 3.1 The Board of the Commission approved this policy on 19 December 2014.

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

COMP Article 1. Article 1 Subject matter and objectives

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

2.16 Freedom of Information and Protection of Privacy Act

DATA PROTECTION LAWS OF THE WORLD. Ukraine

ROTARY INTERNATIONAL DISTRICT 9520 BULLYING AND HARASSMENT POLICY

INFORMATION SHARING AGREEMENT WEST YORKSHIRE POLICE. and LEEDS AND YORK PARTNERSHIP NHS FOUNDATION TRUST

Canadian Anti-Doping Program Privacy and Personal Information Policy. processed by the CCES in the course of administrating and implementing the CADP.

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

Data Protection REFERENCE NUMBER. IMPLEMENTATION DATE June 2014 NEXT REVIEW DATE: September 2020 RISK RATING

Decision 120/2007 Mr Russell Findlay and the Chief Constable of Fife Constabulary

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA

Freedom of Information Policy

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

Customer Data Annual Privacy Agreement

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

Annex 1: Standard Contractual Clauses (processors)

Page1. Employment of Ex- Offenders. Issue Date 01/01/2017 Issue 1 Document No: 105 Uncontrolled when copied

PERSONAL INFORMATION PROTECTION ACT

Transcription:

European College of Business and Management Data Protection Policy 1. INTRODUCTION 1.1 The European College of Business and Management (ECBM) is committed to full compliance with the Data Protection Act 1998 [ the Act ] and recognises in full the rights and obligations established by the Act in relation to the management and processing of personal data. This Policy is intended to serve as general guidance for staff and students in implementing the letter and spirit of the provisions and principles of the Act. 2. A BROAD OVERVIEW OF THE ACT 2.1 The purpose of the Act is to protect the rights and privacy of individuals, and to ensure that data about them is not processed without their knowledge and is processed with their consent wherever possible. 2.2 The introduction of the Freedom of Information Act 2000 amended the Data Protection Act for public authorities, which means that all personal data, and not just that held in a structured form is covered by the Act. 3. DEFINITIONS 3.1 Personal Data Data which relate to a living individual who can be identified from the data, or from the data and other information about the individual which is in the possession of or is likely to come into the possession of the data controller. Personal data includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. 3.2 Personal Sensitive Data Personal data relating to racial or ethnic origins, political opinions, religious beliefs, union membership, physical or mental health (including disabilities), sexual life, the commission or alleged commission of offences and criminal proceedings. 3.3 Data Controller A person or organisation who determines the purposes for which and the manner in which any personal data, are, or are to be, processed. In ECBM this role is undertaken by the appointed College Data Protection Officer. 3.4 Data Processor 1

Any person (other than an employee of the data controller) who processes the data on behalf of the data controller, (described in the 1984 Act as a computer bureau). 3.5 Data Subject A living individual who is the subject of the personal data. 3.6 Processing The obtaining, recording, holding, organizing, combining, altering, retrieving, consulting, disclosing, disseminating, deleting, destroying or otherwise using the data. 3.7 Third Party Any person other than a data subject or the data controller or any data processor or other person authorised to process data for the data controller or processor. 4. NOTIFICATION 4.1 The Act requires all data controllers to inform (known as notification) the Office of the Information Commissioner of: (i) The purpose for which personal data is held or used, e.g. student administration, research, marketing; (ii) The types of person for whom personal data is held e.g. students, employees etc. and the class of data e.g. personal identifiers, education records etc.; (iii) The source or sources from which the data is obtained and the persons to whom the data may be disclosed; (iv) The countries to which data is transferred. 2

5. THE DATA PROTECTION PRINCIPLES 5.1 The Act contains eight principles, which provide a general framework of duty on the University on how it should process personal data. Personal data should be: Processed fairly and lawfully; Obtained for one or more specified and lawful purpose(s) and not processed in any manner incompatible with that purpose or purposes Adequate, relevant and not excessive for the purpose(s); Accurate and up-to-date; Not kept for any longer than necessary for the purpose(s); Processed in accordance with the data subject s rights; Kept safe from unauthorised processing, or accidental loss, damage or destruction; Not transferred to a country or territory outside the European Economic Area (EEA) unless that country has equivalent levels of protection for personal data. 6. CONSENT 6.1 In order for personal data to be processed fairly and lawfully, it is essential that the data subject has given his/her consent. This is particularly important if the personal data is classed as sensitive, as defined under the Act. 6.2 ECBM staff must ensure that consent is always obtained. The most usual methods are by ensuring that there is a data protection statement included on all forms capturing personal data, within guidance notes for the completion of forms, in relevant staff and student handbooks, and on any forms completed on-line. 7. RIGHT OF SUBJECT ACCESS 7.1 The Act gives data subjects the right to access to their personal data held by ECBM. A request must be made in writing (and this includes e-mail requests), and 15 administrative fee paid. This entitles the individual to be told by ECBM whether the College is processing that individual s personal data, the purposes for which they are being processed, to whom they are or may be disclosed and to receive in an intelligible manner, a copy of their personal data. 7.2 ECBM must ensure that it has proof of the identity of the requestor to prevent an unlawful disclosure, and will not release data unless it has that proof. 3

7.3 A data subject can request access to their personal data through another party such as a lawyer or an advocate. A signed letter or form of authority from the data subject must be provided before any data is disclosed. 7.4 ECBM is required by the Act to respond within 40 calendar days of receipt of the request and the fee, but every effort should be made to respond as quickly as possible. The 40 days apply to all requests for personal data, whether routine or complex. 7.5 If the request arises as part of another matter for instance, a Personal Mitigating Circumstances [PMC] request, an academic appeal, complaint, grievance or disciplinary matter, the requirements of the DPA must not be overlooked, particularly the 40 day deadline. In these circumstances, staff must seek advice from the Data Protection Officer. 7.6 The requested data should normally be provided in permanent form on paper. 7.7 If the data subject believes that their personal data is inaccurate, out-of-date, held unnecessarily or is offensive, they have the right to have the information rectified, blocked, erased or destroyed. The data subject also has the right to insist that the College ceases to process their personal data if such processing is causing or is likely to cause unwarranted substantial damage or substantial stress to them or to another. The data subject may also have a right to compensation if it can be proven that damage or distress has been caused. 8. THIRD PARTY DATA AND THE SUBJECT ACCESS RIGHT 8.1. When handling a subject access request, sometimes another individual (known as a third party) may be identified in the personal data to be disclosed. ECBM will only disclose third party data under the Act with the consent of that third party, or if it is reasonable to do so without consent. In determining it whether it would be reasonable, ECBM must balance its duty of confidentiality to the third party against the rights of the data subject; consider any steps taken to seek consent; whether the third party is capable of giving consent; or any express refusal of consent by the third party. 9. EXEMPTIONS 9.1 There are a number of exemptions from the provisions of the Act. These allow ECBM to either disclose or withhold data from disclosure in particular circumstances, without breaching the data protection principles. 9.2 Guidance on the exemptions and their application can be obtained from the college s Data Protection Officer. 4

10. GENERAL RESPONSIBILITIES OF ECBM STAFF 10.1 When processing personal data, ECBM staff must ensure that they abide by the Data Protection Act, and process data in accordance with the eight data protection principles. 11. SECURITY OF DATA 11.1 ECBM staff responsible for processing personal data must ensure that it is kept securely to ensure unauthorised access and only disclose to those authorised to receive it. 11.2 In the case of manual data, files containing personal data should be kept in locked storage cabinets when not in use. Such files should not be left on desks overnight. 11.3 Electronically held personal data must be protected by a password. Databases should be updated and cleared up regularly. 11.4 Any data should be shredded. This applies to personal data like student and personnel paper records as well as to any data concerning ECBM, e.g. teaching material or action plans. 11.5 Staff must ensure that they read and understand these policies and procedures. 11.6 Care must be taken to ensure that PCs and terminals on which personal data is viewed are not visible to unauthorised persons, especially in public places. Screens showing personal data should not be left unattended. Staff should use the facility lock computer on their PC if they are absent from their desk for a short period of time, and should log-off for longer periods. 12. RETENTION TIMES 12.1 Some legislation provides for minimum periods in which certain types of record must be retained and afterwards shredded. These are Student files: 6 years after the student s leaving the college Statutory payments (e.g. Maternity Pay, Sick Pay): 3 years after the end of the financial year to which they relate. All wage/salary records (including those for overtime, bonuses and expenses): 6 years Health and safety records: 2 years (medical records) / 3 years (accident books, records, reports) Application forms, CVs and interview/selection notes of personnel: 1 year Disciplinary and grievance records: 3 years 5

Parental leave records: 5 years from the birth/adoption of the child Pension records: 40 years Pension trustees minute books, HM Revenue & Customs approvals, works council minutes and health and safety records of consultations with employee representatives: should be retained permanently 13. DATA PROTECTION ADVICE WITHIN ECBM AND RELATED GUIDELINES AND POLICIES 13.1 The Operations Manager is the Data Protection Officer for ECBM and provides general advice on data protection and freedom of information. The Data Protection Officer should be informed of all data subject requests received by ECBM staff. 6

Footnote: THE ROLE OF THE INFORMATION COMMISSIONER The Information Commissioner is an independent official appointed by the Government to oversee the Data Protection Act 1998, the Freedom of Information Act 2000 and the Environmental Information Regulations 2004. The Commissioner reports annually to Parliament. The Commissioner s decisions are subject to the supervision of the Courts and the Information Tribunal. The mission of the Office of the Information Commissioner is to promote public access to official information and to protect personal information. The Information Commissioner provides good practice guidance and interpretation of the Act for data controllers and advice to the public on how to access personal data. The website of the Office of the Information Commissioner is: http://www.ico.gov.uk/ The Commissioner has formal powers to force a data controller to take or refrain from certain actions if the Commissioner has determined there has been or is likely to be a breach of the Act. Failure to comply with a Decision or an Enforcement Notice may be dealt with as though the University had committed contempt of court. 7

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback