Access to Personal Information Procedure

Similar documents
Data Protection Act 1998 Policy

Data Protection Act 1998

Schools Subject Access Request Procedures

European College of Business and Management Data Protection Policy

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

DATA PROTECTION (JERSEY) LAW 2005

Data Protection Bill [HL]

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Data Protection Bill [HL]

Charities & Not-for-Profits Overview of Data Protection Law

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Data protection. Guide to the Law Enforcement Provisions

Port Glasgow St Andrew s Data Protection Policy

Data Protection Policy

DATA PROTECTION POLICY STATUTORY

Individual Rights (Data Privacy) Policy

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

CCTV Code of Practice

Terms and Conditions GDPR Ready Data

DATA PROTECTION (JERSEY) LAW 2005 CODE OF PRACTICE & GUIDANCE ON THE USE OF CCTV GD6

SUBJECT ACCESS REQUEST

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Telekom Austria Group Standard Data Processing Agreement

- and - OPINION. Reasons

Law Enforcement processing (Part 3 of the DPA 2018)

The Rental Exchange. Contribution Agreement for Rental Exchange Database. A world of insight

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

OTrack Data Processing Terms

Privacy. Purpose. Scope. Policy. Appendix A

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

BACKGROUND INFORMATION

Data Protection. Guidance for Schools

Information exempt from the subject access right (section 40(4) and

Subject Access and Other Information Rights: Information Governance ( IG ) Policy

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

General Data Protection Regulation

Staff Data Protection Policy

Freedom of Information Act 2000 (Section 50) Decision Notice

DATA SHARING AND PROCESSING

Annex - Summary of GDPR derogations in the Data Protection Bill

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

to the Government Gazette of Mauritius No. 14 of 14 February 2009

The position you have applied for is exempt from the Rehabilitation of Offenders Act 1974 (as amended in England and Wales).

ARTICLE 29 Data Protection Working Party

the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States

Published in terms of Section 51of the Promotion of Access to Information Act, 2 of 2000

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

Data Protection Policy

North Yorkshire County Council. Subject Access Request Guidance and Procedure. Data Protection Act 1998

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

D I R E C T I O N S AND N O T E S

The Act on Processing of Personal Data

Subject Access Request Procedure

Data Protection REFERENCE NUMBER. IMPLEMENTATION DATE June 2014 NEXT REVIEW DATE: September 2020 RISK RATING

How we use Personal Information

Data Protection Policy

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

Greater London Darts Organisation Handbook & Rules (County Section Only)

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Committee Servicing: the Implications of Freedom of Information and Data Protection

THE PERSONAL DATA (PROTECTION) BILL, 2013

DATA PROTECTION AND FREEDOM OF INFORMATION POLICY

Child sex offenders disclosure scheme (CSODS)

SIMON READHEAD Q.C. PRIVACY NOTICE

Data Protection. Standard Operating Procedure

closer look at Rights & remedies

Child Protection Legislation Amendment (Children s Guardian) Act 2013 No 31

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

MANITOBA FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY RESOURCE MANUAL

Anti-Fraud, Bribery and Corruption Response Policy. Telford and Wrekin Clinical Commissioning Group

WASHINGTON COUNTY GUIDELINES AND PROCEDURES FOR MINNESOTA GOVERNMENT DATA PRACTICES ACT

Freedom of Information

Version No. Date Amendments made Authorised by N/A ACC Hamilton (PSNI)

AnyComms Plus. End User Licence Agreement. Agreement for the provision of data exchange software licence for end users

DATA PROTECTION (AMENDMENT) REGULATIONS Amendments to the Data Protection Regulations Insertion of new sections...

AIA Australia Limited

Memorandum of Understanding. between. Solicitors Regulation Authority. and. The Claims Management Regulation Unit (CMR)

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

Health Information Privacy Code 1994

PERSONAL DATA PROCESSING AGREEMENT

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

CODE OF PRACTICE FOR COMMUNITY- BASED CCTV SYSTEMS

Great Leighs Primary School. Data Protection and Freedom of Information Policy. Adopted: April Review Date: April 2018.

Memorandum of Understanding. between. The Legal Aid Agency (LAA) and. Solicitors Regulation Authority (SRA)

Guidelines on the Safe use of the Internet and Social Media by Police Officers and Police Staff

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

Freedom of Information Policy

DISCLOSURE & BARRING CHECKS POLICY

DBS and Recruitment of Ex-Offenders Policy

The Privacy Policy links to the following Objective contained within the City Plan

DBS Policy Agreed: September 2016 Signed: (HT) Signed: (CofG) Review Date: September 2017

Data Protection Policy. Revisions and Editions Log

Transcription:

Purpose of The sixth principle of the Data Protection Act 1998 gives rights to individuals in respect of the personal data that organisations hold about them. The Act says that: Personal data shall be processed in accordance with the rights of the data subject under this act. The purpose of this procedure is to provide guidance to staff on how to manage any requests in relation to these rights in line with the Data Protection Act, and company policy. For the purpose of clarity, these rights include: A right of access to a copy of the information held in their personal data commonly known as a Subject Access Request A right to object to any data processing that is likely to cause or is causing damage or distress A right to prevent data processing for direct marketing A right to object to decisions being taken by automated means A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed, and A right to claim compensation for damages caused by a breach of the Act. NB. Key definitions of terms used within this procedure are provided in Appendix 1. Action Points Subject Access Requests Under Section 7 of the Data Protection Act, a Data Subject 1 can make a written request (includes email) to see a copy of the information Great Places as a data controller holds about them. A request must be made directly by the Data Subject unless there is clear evidence that a third party (i.e. an advocate or legal representative) is acting on behalf of that individual. Steps must be taken to verify that the request has come directly from the Data Subject as outlined in the Information Security before a response to the Subject Access Request is provided. This may include asking the requestor to provide proof of their identity. Under the Terms of the Data Protection Act, Great Places charge a 10 fee to cover the administrative costs of producing a Subject Access request, and this fee must be paid in full before the data is provided to the Data Subject. This fee may be waived in certain circumstances at the discretion of the Data Management Advisory Group. 1 For point of reference, a Data Subject includes anyone receiving a service from Great Places including (but not exclusively) tenants and residents, floating support clients, employees, and applicants for employment. Version date: January 2017 1

After receipt of the request, we have 40 calendar days to supply a permanent copy of the information to the data subject in a form agreed with the individual. All Subject Access Requests should be directed to the Head of Business Assurance who will oversee the process and liaise with appropriate teams and 3 rd parties. Individuals are only entitled to their own personal data, and Great Places have a duty to protect the personal data of any other individuals who may be referred to within documents, etc. We will endeavour to provide as much information as possible by making use of redaction. Our contractors may hold personal information about our customers via their role as a data processor. In the course of compiling information for a Subject Access Request, we should contact any data processors who may hold data about the individual. Such data processors may include repairs contractors, out of hours call handlers, etc. When compiling a Subject Access Request, the data controller must take into account any exemptions that mean certain types of data do not have to be supplied to the data subject. Examples of exemption include, but are not exclusive to: Personal data processed for crime and taxation purposes including: o The prevention of detection of crime o The capture or prosecution of offenders o The assessment or collection of tax or duty Legal advice and proceedings Confidential references given in connection with education, training or employment Personal data processed for management forecasting or management planning Data consisting of our intentions in negotiating with an individual re: compensation, etc. Personal data relating to an individuals physical or mental health if granting access would be likely to cause serious harm to the individual or someone else Under section 42 of the Data Protection Act, individuals have the right to make a complaint to the Information Commissioners Office (ICO) if: We do not respond to a request satisfactorily within the 40 day time limit We are holding personal data unfairly for a different reason to that which it was originally collected for, or without appropriate security We are holding data that is inadequate, inaccurate or for longer than is necessary We fail to disclose information to the data subject outside of an accepted exemption Requests to share information with 3 rd parties Requests to share personal information can come from a variety of sources but most commonly come from the police, local authority departments, other housing providers and support agencies. We may also use the legitimate interest clause within the Data Protection Act in the following circumstances: To disclose a tenant s information to debt collection agencies if Great Places as the landlord are owed monies To pass tenant details to a utility company if the tenant has left the property with an unpaid debt on their account Version date: January 2017 2

Where a request is made with the data subjects permission, staff should provide the information required whilst taking care not to breach the data rights of any 3 rd parties, and taking into account the exemptions within the Act. When a request is made to share data without the data subjects consent, staff should always consider whether there is a justifiable reason to share the data. If staff receive any queries that they are unsure about, they should contact the Data Management Advice Group who will consider the request. Where a request is made outside of office hours (8am 6pm) the individual dealing with the request should take a common sense approach to sharing the required information particularly in the case of a serious police or safeguarding incident and seek retrospective permission from the Data Management Advice Group at the earliest opportunity. Any decisions to share, or withhold, information should be recorded on the Data Protection Incident Log to enable us to defend any decisions accurately if the need arises. Requests for information about other individuals or general information The Data Protection Act does not grant individuals access to information about other people, or to general information about the company, our decision making processes, financial status, etc. Any requests of this nature should be directed to the Head of Business Assurance who will provide the required response. Data Breaches A data breach can occur where any of the 8 principles of the Data Protection Act are not complied with. The Information Commissioners Office can fine organisations for breaching the Act, and many of the fines to date have been in relation to breaches of the 7 th principle keeping personal information secure. With this in mind, staff must appreciate the importance of protecting the data we hold and ensuring its security at all times. Great Places has information security procedures in place to minimise the risk of data breaches. If a member of staff thinks that a data breach has occurred either directly or by a colleague or partner organisation they must notify the Data Management Advice Group within 1 working day to enable a thorough investigation to be carried out and a decision made on whether the breach is reportable to the Information Commissioners Office (based on its severity). All near misses should also be reported to ensure that appropriate preventative or corrective action can be taken to minimise any future risk. Staff should note that a data breach, or a near miss, may lead to action under the company Disciplinary Policy if the investigation indicates that the individual acted with malice or in direct contravention of information security procedures. Version date: January 2017 3

Freedom of Information Requests Great Places Housing Group are not currently classified as a public body under the terms of the Freedom of Information Act 2000 and, as such, are not required to comply with any direct requests under this legislation. However, our local authority partners are covered by the Act and any information we have shared with them, i.e. emails, joint working documents, etc. by be subject to disclosure. Any requests relating to the Freedom of Information Act should be directed to the Head of Business Assurance who will respond appropriately. Responsibilities All Great Places employees and partners have a responsibility to act in accordance with the Data Protection Act 1998, however, the following roles have a direct responsibility: Director of Business Intelligence named Data Controller with the Information Commissioners Office Head of Business Assurance delegated responsibility for compliance with the Act Members of Data Management Advice Group nominated points of contact for staff advice Links to Related Strategies, Policies, s and Forms Data Protection Policy Privacy Policy Information Security Version date: January 2017 4

Appendix 1 Key Definitions Term Data Personal Data Sensitive Personal Data Data Processing Data Processor Data Subject Data Controller Definition Information which: a) Is being processed by means of equipment operating automatically in response to instructions given for that purpose b) Is recorded with the intention that it should be processed by means of such equipment c) Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system d) Does not fall within points a-c above, but forms part of an accessible record e) Is recorded information held by a public authority and does not fall within points a-d above. Data which relates to a living individual who can be identified: a) From that data b) From that data and other information which is in the possession of, or is likely to come into the possession of, the data controller And includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Personal data consisting of information as to: a) The racial or ethnic origin of the data subject b) Their political opinions c) Their religious beliefs or other beliefs of a similar nature d) Whether they are a member of a trade union e) Their physical or mental health or condition f) Their sexual life g) The commission or alleged commission by them of any offence h) Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or sentencing Obtaining, recording or holding information or data or carrying out any operation of set of operations on the data including: a) Organisation, adaptation or alteration of the information or data b) Retrieval, consultation or use of the information or data c) Disclosure of the information od data by transmission, dissemination or otherwise making available, or d) Alignment, combination, blocking, erasure or destruction of the information or data Any person (other than an employee of the data controller) who processes the data on behalf of the data controller An individual who is the subject of personal data A person who (either alone or jointly or in common with other persons) determined the purposes for which, and the manner in which, any personal data is to be processed Version date: January 2017 5

Equality Impact Assessment Is this a key strategic document, major policy or procedure or service change? Examples may include: Homeless Strategy/ Customer Involvement Strategy YES NO What impact will your document or service delivery change have on the public or staff, giving particular regard to potential impacts on minority groups? Issues to consider include race, disability, gender, sexual orientation, religion, age, carers and other socio-economic factors Please explain your answer: Provide a narrative explaining why you gave the impact rating above. HIGH MEDIUM LOW DON T KNOW Approval Date: 5th January 2017 Equality Impact Assessment Date: January 2017 Safeguarding impact: Review Date: Lead Team: Level of Authorisation Required: Not applicable By 30th April 2018 prior to introduction of GDPR Business Assurance Service Delivery Leadership Team Version date: January 2017 6

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback